3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf

Analysis

max time kernel
166s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 23:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
Size

55KB
MD5

91bd4d1a62f8a1de6741cd4c870966b0
SHA1

93059d50b2a9dd9ca933f96d5b73a44cc00df2e5
SHA256

3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf
SHA512

5955ad72e96affe6264dc708a2814557f95c4c79435b5598cf70ce0d139c215111924ec6858a2aa410236f565b2228120a53507bdc2e72372a2df5ebd733533c
SSDEEP

768:oVqibuG53iD7IEsDOMnop8Lju5K4SN2XPkn9d85ou:oVqif5yvCD2fkn9kX

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 64 IoCs

flow	pid	Process
32	4884	WScript.exe
34	4884	WScript.exe
36	3656	WScript.exe
37	3656	WScript.exe
38	1784	WScript.exe
39	1784	WScript.exe
40	1700	WScript.exe
41	1700	WScript.exe
44	1020	WScript.exe
45	1020	WScript.exe
48	2548	WScript.exe
50	2548	WScript.exe
54	4136	WScript.exe
55	4136	WScript.exe
58	3420	WScript.exe
59	3420	WScript.exe
60	1876	WScript.exe
61	1876	WScript.exe
65	3928	WScript.exe
66	3928	WScript.exe
67	3736	WScript.exe
68	3736	WScript.exe
69	4272	WScript.exe
70	4272	WScript.exe
71	3652	WScript.exe
72	3652	WScript.exe
73	3288	WScript.exe
74	3288	WScript.exe
75	4156	WScript.exe
76	4156	WScript.exe
77	1516	WScript.exe
78	1516	WScript.exe
79	2476	WScript.exe
80	2476	WScript.exe
81	3096	WScript.exe
82	3096	WScript.exe
83	4608	WScript.exe
84	4608	WScript.exe
85	4980	WScript.exe
86	4980	WScript.exe
88	2516	WScript.exe
89	2516	WScript.exe
90	2016	WScript.exe
91	2016	WScript.exe
92	4656	WScript.exe
93	4656	WScript.exe
98	5036	WScript.exe
99	5036	WScript.exe
102	876	WScript.exe
103	876	WScript.exe
104	3752	WScript.exe
105	3752	WScript.exe
106	2860	WScript.exe
107	2860	WScript.exe
108	1448	WScript.exe
109	1448	WScript.exe
110	1976	WScript.exe
111	1976	WScript.exe
112	2176	WScript.exe
113	2176	WScript.exe
114	4964	WScript.exe
115	4964	WScript.exe
116	604	WScript.exe
117	604	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
3416	NFUe.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Min Config 116ZOJEPu.lnk	NFUe.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AB410C7B-503F-11ED-B696-DEF0885D2AEB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	NFUe.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
1880	PING.EXE
3580	PING.EXE
4920	PING.EXE
3396	PING.EXE
1244	PING.EXE
3528	PING.EXE
4892	PING.EXE
4136	PING.EXE
1080	PING.EXE
3548	PING.EXE
1620	PING.EXE
1424	PING.EXE
5056	PING.EXE
4464	PING.EXE
4176	PING.EXE
5068	PING.EXE
3116	PING.EXE
1868	PING.EXE
4692	PING.EXE
1244	PING.EXE
1500	PING.EXE
2512	PING.EXE
924	PING.EXE
3564	PING.EXE
800	PING.EXE
400	PING.EXE
1512	PING.EXE
3428	PING.EXE
4900	PING.EXE
1664	PING.EXE
404	PING.EXE
736	PING.EXE
2364	PING.EXE
3732	PING.EXE
3920	PING.EXE
1700	PING.EXE
4604	PING.EXE
2200	PING.EXE
5096	PING.EXE
4684	PING.EXE
4272	PING.EXE
1144	PING.EXE
1928	PING.EXE
4376	PING.EXE
4388	PING.EXE
4656	PING.EXE
5116	PING.EXE
3752	PING.EXE
4656	PING.EXE
1608	PING.EXE
1512	PING.EXE
1772	PING.EXE
700	PING.EXE
2236	PING.EXE
4580	PING.EXE
1104	PING.EXE
2288	PING.EXE
696	PING.EXE
3900	PING.EXE
1256	PING.EXE
4244	PING.EXE
2356	PING.EXE
5036	PING.EXE
600	PING.EXE

Script User-Agent 64 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	59	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	99	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	157	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	104	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	108	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	149	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	232	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	133	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	170	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	205	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	239	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	240	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	72	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	167	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	188	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	54	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	71	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	135	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	65	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	203	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	218	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	162	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	174	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	243	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	177	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	196	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	80	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	91	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	85	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	116	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	165	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	229	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	113	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	204	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	67	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	83	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	66	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	161	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	181	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	60	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	186	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	44	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	257	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	261	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	158	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	185	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	215	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	216	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	265	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	77	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	140	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	197	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	209	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	110	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	82	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	252	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	190	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	74	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	112	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	127	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	137	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	173	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	156	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe
3416	NFUe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3416	NFUe.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
Token: SeDebugPrivilege	3416	NFUe.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
984	iexplore.exe
984	iexplore.exe
4176	IEXPLORE.EXE
4176	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 4352	1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe	84
PID 1380 wrote to memory of 4352	1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe	84
PID 4352 wrote to memory of 452	4352	vbc.exe	86
PID 4352 wrote to memory of 452	4352	vbc.exe	86
PID 1380 wrote to memory of 3416	1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe	87
PID 1380 wrote to memory of 3416	1380	3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe	87
PID 3416 wrote to memory of 3736	3416	NFUe.exe	88
PID 3416 wrote to memory of 3736	3416	NFUe.exe	88
PID 3736 wrote to memory of 5096	3736	WScript.exe	89
PID 3736 wrote to memory of 5096	3736	WScript.exe	89
PID 3416 wrote to memory of 984	3416	NFUe.exe	91
PID 3416 wrote to memory of 984	3416	NFUe.exe	91
PID 984 wrote to memory of 4176	984	iexplore.exe	92
PID 984 wrote to memory of 4176	984	iexplore.exe	92
PID 984 wrote to memory of 4176	984	iexplore.exe	92
PID 3416 wrote to memory of 4884	3416	NFUe.exe	93
PID 3416 wrote to memory of 4884	3416	NFUe.exe	93
PID 4884 wrote to memory of 836	4884	WScript.exe	94
PID 4884 wrote to memory of 836	4884	WScript.exe	94
PID 3416 wrote to memory of 3656	3416	NFUe.exe	96
PID 3416 wrote to memory of 3656	3416	NFUe.exe	96
PID 3656 wrote to memory of 3752	3656	WScript.exe	97
PID 3656 wrote to memory of 3752	3656	WScript.exe	97
PID 3416 wrote to memory of 1784	3416	NFUe.exe	100
PID 3416 wrote to memory of 1784	3416	NFUe.exe	100
PID 1784 wrote to memory of 1424	1784	WScript.exe	101
PID 1784 wrote to memory of 1424	1784	WScript.exe	101
PID 3416 wrote to memory of 1700	3416	NFUe.exe	103
PID 3416 wrote to memory of 1700	3416	NFUe.exe	103
PID 1700 wrote to memory of 1980	1700	WScript.exe	104
PID 1700 wrote to memory of 1980	1700	WScript.exe	104
PID 3416 wrote to memory of 1020	3416	NFUe.exe	106
PID 3416 wrote to memory of 1020	3416	NFUe.exe	106
PID 1020 wrote to memory of 1500	1020	WScript.exe	107
PID 1020 wrote to memory of 1500	1020	WScript.exe	107
PID 3416 wrote to memory of 2548	3416	NFUe.exe	109
PID 3416 wrote to memory of 2548	3416	NFUe.exe	109
PID 2548 wrote to memory of 1332	2548	WScript.exe	110
PID 2548 wrote to memory of 1332	2548	WScript.exe	110
PID 3416 wrote to memory of 4136	3416	NFUe.exe	112
PID 3416 wrote to memory of 4136	3416	NFUe.exe	112
PID 4136 wrote to memory of 4692	4136	WScript.exe	113
PID 4136 wrote to memory of 4692	4136	WScript.exe	113
PID 3416 wrote to memory of 3420	3416	NFUe.exe	115
PID 3416 wrote to memory of 3420	3416	NFUe.exe	115
PID 3420 wrote to memory of 3920	3420	WScript.exe	116
PID 3420 wrote to memory of 3920	3420	WScript.exe	116
PID 3416 wrote to memory of 1876	3416	NFUe.exe	118
PID 3416 wrote to memory of 1876	3416	NFUe.exe	118
PID 1876 wrote to memory of 1080	1876	WScript.exe	119
PID 1876 wrote to memory of 1080	1876	WScript.exe	119
PID 3416 wrote to memory of 3928	3416	NFUe.exe	121
PID 3416 wrote to memory of 3928	3416	NFUe.exe	121
PID 3928 wrote to memory of 4656	3928	WScript.exe	122
PID 3928 wrote to memory of 4656	3928	WScript.exe	122
PID 3416 wrote to memory of 3736	3416	NFUe.exe	124
PID 3416 wrote to memory of 3736	3416	NFUe.exe	124
PID 3736 wrote to memory of 5036	3736	WScript.exe	125
PID 3736 wrote to memory of 5036	3736	WScript.exe	125
PID 3416 wrote to memory of 4272	3416	NFUe.exe	127
PID 3416 wrote to memory of 4272	3416	NFUe.exe	127
PID 4272 wrote to memory of 2512	4272	WScript.exe	128
PID 4272 wrote to memory of 2512	4272	WScript.exe	128
PID 3416 wrote to memory of 3652	3416	NFUe.exe	130

C:\Users\Admin\AppData\Local\Temp\3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe
"C:\Users\Admin\AppData\Local\Temp\3c77f982dedf04499490e5e0fe1f761c92605577fc10006e9327cacb4a7029cf.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gd_f1ldr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5091.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA52EFBEDF2040A2BB4E7DEB4B4C23B0.TMP"
    3⤵
    PID:452
- C:\Users\Admin\AppData\Local\Temp\NFUe.exe
  "C:\Users\Admin\AppData\Local\Temp\NFUe.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_bف.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:5096
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://technoegy16.blogspot.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:984 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4176
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_يJяHF.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:836
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_كщC.vbs"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:3752
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_гبئzدد.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1424
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_фVf.vbs"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:1980
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_еذPZ.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1500
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_yuo.vbs"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:1332
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_иطمх.vbs"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4692
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_Iцпfخч.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:3920
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_аظп.vbs"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1080
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_фjtزيB.vbs"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4656
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_vسиjR.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:5036
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_шйjы.vbs"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:2512
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_صHв.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:3652
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:696
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_kkhrh.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:3288
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:2288
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_Uجs.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    PID:4156
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:5068
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_Nuеش.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1516
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1244
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_شiо.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:2476
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1928
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_HеIр.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    PID:3096
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:3528
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_fJmzاC.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:4608
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:404
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_sيв.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    PID:4980
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:3920
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_lхиы.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    PID:2516
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1104
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_еصئqثй.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:2016
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:240
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_BaىfW.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:4656
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:600
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_لнWyаذ.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:5036
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4892
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_دgйxد.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    PID:876
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4176
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_йщцisz.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:3752
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4376
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_LVE.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    PID:2860
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1512
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_щLVؤк.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    PID:1448
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:1868
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_غهп.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    PID:1976
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4388
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_цbмUзI.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    PID:2176
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:736
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_NтFщ.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    PID:4964
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:3756
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_Zىцk.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    PID:604
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:536
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_cbذ.vbs"
    3⤵
    PID:3420
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:700
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_jتحгغ.vbs"
    3⤵
    PID:4552
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:1900
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_دвQا.vbs"
    3⤵
    - Checks computer location settings
    PID:4224
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:4280
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_мHkuav.vbs"
    3⤵
    - Checks computer location settings
    PID:3344
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:4176
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_Sшщqn.vbs"
    3⤵
    PID:3452
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:3628
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_щiр.vbs"
    3⤵
    - Checks computer location settings
    PID:2288
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1700
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_Yуن.vbs"
    3⤵
    - Checks computer location settings
    PID:2244
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:3548
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_tрN.vbs"
    3⤵
    PID:4576
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:4736
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_هتс.vbs"
    3⤵
    - Checks computer location settings
    PID:1564
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:1704
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_lUمKlظ.vbs"
    3⤵
    PID:736
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:2216
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_hjظ.vbs"
    3⤵
    PID:688
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4684
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_gвل.vbs"
    3⤵
    - Checks computer location settings
    PID:4256
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:3900
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_vئCo.vbs"
    3⤵
    - Checks computer location settings
    PID:4152
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:5056
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_ubаطы.vbs"
    3⤵
    PID:1144
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:1216
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_زgDل.vbs"
    3⤵
    - Checks computer location settings
    PID:2032
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:968
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_عTfrظR.vbs"
    3⤵
    - Checks computer location settings
    PID:3216
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:4204
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_ثйrк.vbs"
    3⤵
    PID:400
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:5100
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_نха.vbs"
    3⤵
    - Checks computer location settings
    PID:3064
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1256
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_gъزщEM.vbs"
    3⤵
    - Checks computer location settings
    PID:3600
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:3564
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_فелH.vbs"
    3⤵
    - Checks computer location settings
    PID:4044
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:4648
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_чsqق.vbs"
    3⤵
    PID:3464
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:800
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_ئRrغJ.vbs"
    3⤵
    - Checks computer location settings
    PID:2628
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:2216
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_zORrw.vbs"
    3⤵
    PID:864
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:2044
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_خcфыс.vbs"
    3⤵
    - Checks computer location settings
    PID:4964
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:2308
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_بрض.vbs"
    3⤵
    - Checks computer location settings
    PID:452
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4136
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_ءsXлX.vbs"
    3⤵
    PID:4292
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:4256
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_zсвхد.vbs"
    3⤵
    - Checks computer location settings
    PID:836
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:3428
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_гهuR.vbs"
    3⤵
    PID:4204
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1880
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_мkсزدx.vbs"
    3⤵
    PID:3452
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:3380
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_EKO.vbs"
    3⤵
    - Checks computer location settings
    PID:2368
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1512
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_gjzDY.vbs"
    3⤵
    PID:4092
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:3048
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_кكVWحا.vbs"
    3⤵
    - Checks computer location settings
    PID:3120
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:2364
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_Dxقп.vbs"
    3⤵
    - Checks computer location settings
    PID:4644
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:4156
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_yطDn.vbs"
    3⤵
    - Checks computer location settings
    PID:1692
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1772
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_xئпPفع.vbs"
    3⤵
    - Checks computer location settings
    PID:4584
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1608
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_lпسQцф.vbs"
    3⤵
    - Checks computer location settings
    PID:1104
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4464
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_лаئmqi.vbs"
    3⤵
    PID:3908
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:5116
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_вدщпع.vbs"
    3⤵
    - Checks computer location settings
    PID:1440
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1144
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_zOطaф.vbs"
    3⤵
    PID:4620
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:3396
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_DخтeгB.vbs"
    3⤵
    - Checks computer location settings
    PID:2336
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:924
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_шoMY.vbs"
    3⤵
    PID:1508
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4272
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_hоرеr.vbs"
    3⤵
    - Checks computer location settings
    PID:3628
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4604
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_ئFdجر.vbs"
    3⤵
    PID:4968
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1244
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_ظeغR.vbs"
    3⤵
    PID:1688
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:3424
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_ikh.vbs"
    3⤵
    - Checks computer location settings
    PID:3472
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:2236
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_dGгنىз.vbs"
    3⤵
    - Checks computer location settings
    PID:3152
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:3580
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_وтGZ.vbs"
    3⤵
    PID:4060
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:1280
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_rلмOгj.vbs"
    3⤵
    - Checks computer location settings
    PID:2296
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4920
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_قظв.vbs"
    3⤵
    - Checks computer location settings
    PID:4508
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4244
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_فحй.vbs"
    3⤵
    - Checks computer location settings
    PID:3100
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1620
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_KقWوt.vbs"
    3⤵
    - Checks computer location settings
    PID:5028
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:4784
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_gтi.vbs"
    3⤵
    - Checks computer location settings
    PID:1900
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:1144
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_kWшD.vbs"
    3⤵
    - Checks computer location settings
    PID:3976
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:3116
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_еzbхز.vbs"
    3⤵
    - Checks computer location settings
    PID:2380
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:3732
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_ظمش.vbs"
    3⤵
    PID:4128
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:2200
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_mبوضI.vbs"
    3⤵
    - Checks computer location settings
    PID:1816
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4900
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_ريф.vbs"
    3⤵
    - Checks computer location settings
    PID:1700
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1868
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_جفB.vbs"
    3⤵
    - Checks computer location settings
    PID:1008
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:4736
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_FفhEك.vbs"
    3⤵
    PID:2368
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:1664
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_PнثةLج.vbs"
    3⤵
    PID:1248
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:2288
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_LGкؤгя.vbs"
    3⤵
    PID:2220
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:2280
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_ثصхе.vbs"
    3⤵
    - Checks computer location settings
    PID:4608
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4580
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_ىvUтW.vbs"
    3⤵
    - Checks computer location settings
    PID:4660
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:3856
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_OيYf.vbs"
    3⤵
    - Checks computer location settings
    PID:2308
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:1984
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_уSشSn.vbs"
    3⤵
    - Checks computer location settings
    PID:1524
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:5116
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_دZy.vbs"
    3⤵
    - Checks computer location settings
    PID:4544
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:4280
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_Eрр.vbs"
    3⤵
    - Checks computer location settings
    PID:2372
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:2976
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_nгلdтS.vbs"
    3⤵
    PID:596
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:4656
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_Rлئي.vbs"
    3⤵
    PID:1880
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:2708
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_яlgIсч.vbs"
    3⤵
    PID:3204
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:400
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_DZJ.vbs"
    3⤵
    - Checks computer location settings
    PID:4132
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      Runs ping.exe
      PID:2356
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_аئгpS.vbs"
    3⤵
    - Checks computer location settings
    PID:872
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:3424
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_рhضf.vbs"
    3⤵
    - Checks computer location settings
    PID:4492
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:4332
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_ةطRgCq.vbs"
    3⤵
    PID:1168
  - - C:\Windows\System32\PING.EXE
      "C:\Windows\System32\PING.EXE" -n 1 www.google.com
      4⤵
      PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NFUe.exe

Filesize
55KB

MD5
9103a211cd2e04b62bb4479e9dc0ad88

SHA1
cf651f21e55af48b92cd3653ffc059697afb6195

SHA256
730280483a8cc97619a210659f84c7dd65139652a98d311a9f61ccd0748c4b24

SHA512
8399680480701659de4184e52b5afe8cc460d8d18ef623e73bd732982bb8086397d2eb5252e2f66caf8ddd581b25255aa2af6dddb7e6ed90d110f85aa7618c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\NFUe.exe

Filesize
55KB

MD5
9103a211cd2e04b62bb4479e9dc0ad88

SHA1
cf651f21e55af48b92cd3653ffc059697afb6195

SHA256
730280483a8cc97619a210659f84c7dd65139652a98d311a9f61ccd0748c4b24

SHA512
8399680480701659de4184e52b5afe8cc460d8d18ef623e73bd732982bb8086397d2eb5252e2f66caf8ddd581b25255aa2af6dddb7e6ed90d110f85aa7618c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5091.tmp

Filesize
1KB

MD5
8910581bc90a7a2a3396aa921062266a

SHA1
14580f5cce2983bb51610ce458dd4e4e1bda8844

SHA256
d61d6e269235794119930df704b3b722d8cf46071f2acd6131509e1e27d6628d

SHA512
d3d9ea9971008ebd01d88abff1300477ba27e6720ac83be61ee4af8eb1af1a93e4c67af72b6c91e5a4d25225a56fe0e627ffeba7c859dc95da398ffe9fb45558

Download Submit
C:\Users\Admin\AppData\Local\Temp\gd_f1ldr.0.vb

Filesize
507B

MD5
1f0c4c83d325c072fecb31a123da36ba

SHA1
7c5f343f188a9791c8c48f62ba36c784cda28733

SHA256
9880dbb8bda6077e07a1a63cac60c940b1b439858a77b26d4f5ea13ffca3a259

SHA512
b9c6bad591e42e40dda4ba2e55038c1d268c0f10aea727be404227381c1fbcc95730127cb416d12c943eed525e06e5a6995f03538d8fe4b6a79127cf240a1818

Download Submit
C:\Users\Admin\AppData\Local\Temp\gd_f1ldr.cmdline

Filesize
199B

MD5
d49db709426cdd077e72ef4f9918a636

SHA1
c1f68577e3c62d483181eac67c8d1eee21ddae73

SHA256
ea095cb31064a77a3f649e839e786409732e910a386ccff1782ea2c7bfa791d8

SHA512
f6b8345e673b328f8fc92bf2d3f9674f8c16aefb8efd401bbb562fb5c39333f3fc884314eabebc9287e1fdb2f54c7058084675661b2c30fc939d9192c2c19212

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzks.exe

Filesize
6KB

MD5
2d1d9f1d33f6b2e81e8dd89796b8c74c

SHA1
d0449d022c2f837b1a621d187e701f9d53912271

SHA256
11a49aff7d809da28eb8b3c7207cd90e76d42c0bd9ff96e9601cb8309bf1a0d4

SHA512
1ff19d579d2ec07a09f9257e579c1e867e375b4c68fd81cde8833d4f9954bdc6910c8b6b7d4747039bcc154bd030c436bb31d0b0ddcc5e3df3f935413e2d8eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_BaىfW.vbs

Filesize
1KB

MD5
276c27e339a28f1c259cb5be7569141e

SHA1
f9d60b92140f8a4085d88dafb65c557abe205ae6

SHA256
d544611f4c5f87d4a6312e8df5dd7e6959f7e5cca881c6b4afe7f683a9fc023e

SHA512
70b1e92d0fd2cbc9b864c727efc142f4ad1c189639cc209644ec825f373ec43443f6a318492984f668acb90c00e611306537d7221637cb29a593778be60ef1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_HеIр.vbs

Filesize
1KB

MD5
5a578309e29538f86b00941cabe6e5e9

SHA1
c7e66574b83c50b584ba09dd26af3895ee7dcc9b

SHA256
41053718455ec156e780fa51ccd27c315d61ce0e8e5641ab3e37dd189f1aecf2

SHA512
c6d8ec6e001ddf850f53f91ad323aeaa89291914c36ba59db305b5012e3d96f8c036a86d773d0d89eeff88dc6c5bbc20f012b93c4c1de3a08d681835febc8f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_Iцпfخч.vbs

Filesize
1KB

MD5
532fa5180c2443f50a1453637c7e1bb4

SHA1
867d5c3f63f14ab263e0f7d8d3e1768dda5b5438

SHA256
4161a9a000ea11cf658124dd56561e729d6284be6222ecaf2789a7b2f69266c9

SHA512
9ed35e71429f7df2ccc897101cebc11a3ced2ce7f3cdf9a4449bec92f94cfa26641ebf093b646bcd7b2312e5ae4b6437423c8f96fffd5bc022ecab822ace53e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_LVE.vbs

Filesize
1KB

MD5
99fc1fbcfcc3dca84107745228d6c868

SHA1
a1dc904987419bdb5c2d942e1e9d8a5542728d58

SHA256
bbe75505dce7cb52848dd0f116dbbfc964bccd114714d902389cc88669065c06

SHA512
086e6f4cbf569eecd3f40961daa8c4790026739114019f9ba376e36cec1b883a37308ca20b5ad0aa548585192fa4fcec88f95ee09a220fca5aafa3c1aaf3b98c

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_Nuеش.vbs

Filesize
1KB

MD5
a572e857d9d92d09f07898f6ba06cf37

SHA1
86f56fcba86d89a45fde901686265a8ecb73b3c9

SHA256
0c10d748c714c5c7f7c3a1a6c9e245027ec3e1910d28e2bc2cfca814081f8eb5

SHA512
b5882bb813ee507d8010df1a98a4b7bb7bc95614060e00c45d10b35ea17cadf11f32a526e8d4f85764b1c900dc9f6f3c128c4f725f65ff48e63ad4e1a83d29d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_Uجs.vbs

Filesize
1KB

MD5
2d5199839d1a941e1546d46caaf65cca

SHA1
df61b5c172c3b6236161e7a27f5817ff62a2411c

SHA256
4c8a89c7a1baffd1659717003e357cc84721bf8482fd64ef76e0c5e75a35bbcb

SHA512
e137e8e855b30ead75d3b1c21b7711170608c5693dd148853ff9a6d8e197b362e908274952f950eab6ce9bcd7a66dd2d655d2343b7a7b2a333c4232445abef6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_bف.vbs

Filesize
405B

MD5
0a7e8bfadc697b20c92eed2488fda2ff

SHA1
04160d70a9412c00dbf772b1edf885e38fb37474

SHA256
97f489f50fa0360b4c5341a76353efaca0c4fe40daf1ca5457bd24493e8491dd

SHA512
c8d336c8d9e694f34c47af09e36a158e2e38b2846ae9ea84a9518e86c42ec20f9aaaa5816a11b2fbc6249eeb65db11bacec79c206cf6581bdcaa13dd53cee2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_fJmzاC.vbs

Filesize
1KB

MD5
001be65182e9d9281c4adf725581b5e1

SHA1
fec2154abe04c90a00bf4d4b8e8a867bf40f6839

SHA256
36bdb5d4ede0336d3fb074855804c2e0b03041069ebb68ddf4eb3bf3f11b97e1

SHA512
b531da54f715a7dcf7088b03f0560fe0359f1d7fdf755b2e04ee42bb87e18e125113fbc70eead9cbd65ff4aabab449b4f3705d855fafcc2e62a96fc50f182e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_kkhrh.vbs

Filesize
1KB

MD5
440cbf6f63d42e12ed6e5a733c0078fb

SHA1
da7076831fb7c4d9738c7aa20353c4a770d4b4a8

SHA256
64a27036c1d915519f13b8b9e84dfcc8ff4ec9d44ba6cef49bdbea814e3b735d

SHA512
0ae915080556ae66e562f9d7d74154256d7cd8504e4507db97a5032d5084b8d6bd4b07a4fcb8dabe2f2e0ca9aa72b238bfaa105a710b36f311fd6ebf3b87f00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_lхиы.vbs

Filesize
1KB

MD5
d468ab811952ab87dd20a52b5c48f98a

SHA1
d5c2f46803a045b1c450a48bd3e7bd3058f614aa

SHA256
83f843ab537e5e554a7e158d6fce56dcf8679073fdb42a4a4d28c063b61afb2a

SHA512
46a84c34d204e341b8f09baae81771c32cd040cab407f3ae807707b0baeb19ce7425eac682e7ae512c14354c4f6465a5e0af015987ebbfb1920653a2938b3a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_sيв.vbs

Filesize
1KB

MD5
b2e4396d1e5a2337b37c462c8f9bfadb

SHA1
162b2bc5507bff56b6a042722fc9df1375d042c1

SHA256
7982e81681c5a95125412055cf07aa16440139576992a192e8370bfc5252e952

SHA512
49ccbc1cf83f10f315ffec43bc7a76a2e4d200d54c44bbcf3d12ff9f4d71471c46cd72d86a13e081349a9d47bcdb0cbf64307e83da24cfa05ef431d3f3896758

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_vسиjR.vbs

Filesize
1KB

MD5
f7784866947c58abfe22b0b90a736d3a

SHA1
48df2cd499587a5dc5f93aba3c8a59dcd071f926

SHA256
ce41e83b282ff18e20f2e418583fea808624119ccbeaf433b41407d578b3910f

SHA512
bd442dfcaa5d58d9680be05f3d5246677b858d0fab482662a4d3494e96015602a26bc239334326e3c7229e07a4d2f1d88ca7351b5aa8947d9a08f5a95f90d018

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_yuo.vbs

Filesize
1KB

MD5
c31d92ee59fb0e50793044480b7868ce

SHA1
34a49ac370429fb42b8448ad19853b28c61e89e9

SHA256
b1e5c436ea9aaeb2aab502ebc2869098f92d81760dffd4cce1352e7e2145e9f8

SHA512
6da0ae3e941fdc09e61b562144eec2da684f758fc5ae3f77407676933d6e437db5467e7a86d23a3ebd62b0418d4f88adcbab5552c2f2cefe9784f941dac047bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_аظп.vbs

Filesize
1KB

MD5
3d1a0d145699926df4aca772b24e6509

SHA1
bd2954ac48098ecc1d022a3e97f2c4d0ac6f6d7c

SHA256
5db02d62db5fd88015b4923901dbb2b89e04f21439119dfab503ae70cd0bdc97

SHA512
56821d6d9083da4497c2c6c605ab3322eb91fa6a549e356091f339cc45cdfc8846b0f7a4d9b964acd8f8923c2632583c6a34cb6f011852448963b3ea40e0abe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_гبئzدد.vbs

Filesize
1KB

MD5
a9d1dc780d1d8a50ad5bdd3abbc357c3

SHA1
2dd3ee5062b2a097f662c896f4be436876db872f

SHA256
22e0cd49b9b9bf37003f53cae552baf045da2d136550997214762313e5fb188a

SHA512
624f399629dad7eea97af048d89f88e5d71fba4f4ca22bd6ac08c7ff7e5b3addce4ae9d42ef925e9a9b4e80adf289f224a03e2f7c738c1bd9691071c5d98d874

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_еذPZ.vbs

Filesize
1KB

MD5
fda2846a8d0d256bbe6c8391c34b0a24

SHA1
812f7866938db7b02e9b49eb3d33db0f9f3283d4

SHA256
92274ac78516d545b422218bf3e7a9b53ffbafaf3164a404a77299234487322d

SHA512
b86fdc3d561a43f20fd06155a4e8cc3cdaa52c9b74a48a337683eb490a066b9169e897c3b4c5a90e5b69fdcef9ef19cfc6a0be00c2ff3a3d4fdaf174842f0934

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_еصئqثй.vbs

Filesize
1KB

MD5
74a2844d31311d206df8e157a71e0e02

SHA1
d02dadc9a4a7fb8ec84b38d687123413270e50fd

SHA256
b36a1dd17e9a99660222dcf7bd95cacd120f53cb1168127eb5b8a4faff7fd443

SHA512
3434f127987d0a5addf4265aafb152670b6122cb590cb52636a5620047a8500a7fe8634f89bbe1d206a61d6474fb9fd280f2a5e8c7a7db14f8bf0b5154572185

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_иطمх.vbs

Filesize
1KB

MD5
78d895ee56321965c339f49ba3896a41

SHA1
2f6e6036ef9c967360a1c7b1a52d57b732a1db45

SHA256
1aee7359c7bf9763a2ed531424436b533c7817aa265bd11c07fb2de622e86cae

SHA512
7507901a846802fa7810f572c583430a7074697c78ba5230b253eff0ea4068cc18ad45699c94c96dc7ceb8c6b5f57a59247668ca93dbf2fe4ad9c4354118d2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_йщцisz.vbs

Filesize
1KB

MD5
6578791324fe59787d8ac7021870f3f2

SHA1
8b4542f122b396528b246689d8874318fb1d7743

SHA256
b5194ed2135399da376d26712b8d93cf973394f477bb83c9a005b944445f8ef6

SHA512
27faea8a9ee149237f8c7ea67379fe731d23f6e6288c4578221f01b1f8380538ade61d1e3b871190892a374ed9cd5eb2b1deb3e2c6cb1096563f63e9770bc475

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_фVf.vbs

Filesize
1KB

MD5
d52ce761e6ea96fa0a445582a9150d8b

SHA1
9aa8d8d8e1cbee2d57df0f7e6e8b9b0620410a37

SHA256
52543b031374742ad40ddea05b797c240fa061c19c22a53dacc5d0602bbfb738

SHA512
e18e8e677c16fbb34c2f104695cf1ff4bdfef7d9428913f9c6594709d69d7426c7e8b66e2fb59ab2202c042a021b3d412c1396c853086fd394c81047ae3afacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_фjtزيB.vbs

Filesize
1KB

MD5
e54c48cfa1d9679fc4ce2ae15b234256

SHA1
5b30b1aadd46a6aeea673192eb04494d935dc83c

SHA256
1571fbd52b9c8d19c2d792a410119bd3c3d87a28ab8b42eed07568b95956bfa7

SHA512
d07a3a6643250c8f6df6d1915268641a543fbcbd0154f562cf9e0fca72bab05f541c677f1707c16d67f607a618f78b86ca9a3124d1ec48556e67571d05e87207

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_шйjы.vbs

Filesize
1KB

MD5
1d2f4058bf16bfd58142629fb752b973

SHA1
7c27b8e5d02b5e6742630eae02060e57baef1903

SHA256
e2e8c11e5b18ae0712ad4dbb0ebbaeaad32351b5a5a3173b57c28124cbca6d61

SHA512
623c8bb4666ba22d69438725d59e25e75e1f31f4abc0000bd28e901a7e633be96106a69ff9ee4a07578e1bb755cfe5fcd907a960de66d55546c627015139852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_щLVؤк.vbs

Filesize
1KB

MD5
5e7e54e9c2fbda75b7572ef31f9a6252

SHA1
60474dfcf8cfde336666052866f702035d08fc3a

SHA256
adbdbf79f3cdb4b9f43e8aabe27f8923fdfb6ef00210babeb1bea352883ac46b

SHA512
10457b73e7b9c02b1637ba99b827b4edd2e8cd89087a14290ef5c42fb872664ddad1e4dc8e6cf390b30e23c6b162e4b30ae2bc462f2e8c59e89877867e903dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_دgйxد.vbs

Filesize
1KB

MD5
807cb92d0aaec73b63f961845e3077b0

SHA1
ef1022778a9428b835ac9dc27e45a94d185c8c27

SHA256
d2b860b083d893c20fd24c7b2ca0fdd901855f2319bfbb23c89fbbf9836549c7

SHA512
b0dc3641a0398c0b985cee17f20e5fe35388a48e9a8623e0234fbb9615b0267bdf1508b5fbf7064ee04df4141816090aeb0e6050eb7606b793c00bdd2806d029

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_شiо.vbs

Filesize
1KB

MD5
7617aa5ed9c00dd7d148c7a87151b539

SHA1
621caa7b23f12620271cc8d9cea018c7348f3af0

SHA256
8a3593756cf937511e91f8f581e295c479a5a01b0c295000bf6298b2111a8a99

SHA512
8f4429c42d0441eed817b168f2c0c28fe58f837ee60bd29fd361976ce0b7098677081fe7f3ee68a905782905d05cada2c5e3e815d0d88712200f343db04418a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_صHв.vbs

Filesize
1KB

MD5
3193573b738417f50e5f503f93b96484

SHA1
1f22980f005b85253cb0d23eebe6b63dfbf4a862

SHA256
d8b0109d67f6a01ffedcbc1b137650fc21b51a16c56bd3354f9cf0e0a4aa9a61

SHA512
61f973465da6c4de6d65212579d9335c7aa19dadffd398faaccb9e18eecf5316a424f4710238ef2780a27bfa97d3a2dda05d9651b79b88fa80d041c43810cc0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_كщC.vbs

Filesize
1KB

MD5
68f71ec2898a0bb8085d4f622b116fd5

SHA1
22458fd1f65a2dfc9432cf6e8bcd8dab333bc9b0

SHA256
62101be62b7961d04ecf6926821e6ed6b6ec21a14e053b9821a11a034a5ca99d

SHA512
458553192c8c2f0069509fabe5ac2dc057869f5955d54e41f25d15ed703344e14200fe6213278563a69c493f6fdcf79aaa3e546a110bc91359c72b031c48878f

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_لнWyаذ.vbs

Filesize
1KB

MD5
dd072567044f2a5d22227c76039d3210

SHA1
81d7993d5330e077326f615ffa5a17f61616c925

SHA256
7e2b723969223b1e985c0d95010175fa16729ba56e01830f9806b86e2c96abb6

SHA512
458d7b16cc92058dc75b73db6fa63e1e75b82e12613b3c42e0a85088a5cbc266445fa43e8a16214c5dbbc3ab0e26a194dd1af952c57e8a99839190a6b43fe2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_يJяHF.vbs

Filesize
1KB

MD5
0ffd71ec71f9e732cd48a5c68920072d

SHA1
808f160b60cddc7deeddf7cdf5eb726eaeff42fe

SHA256
ff4fa04fd248482b2c687289865803604f20831d672f7a6ba77a5cbd9930d468

SHA512
74f870b09897fce37376fe9c5d8e86ab030c02966c09dca1674397002cf107142f84d226bd1c592a10b0d7552ca9fbd2c16ae123a391c05e01d44a0d0bf1aa75

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_BhciLbmuW.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_DEhBr.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_DXehiyI.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_DhZNbmp.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_HYqTtFfRT.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_HzBpqujz.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_JWIqB.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_JYgtzY.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_PqtZQB.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_RhxkC.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_TvtFPh.txt

Filesize
4B

MD5
d3accd33402becc720abebee93ebe193

SHA1
7362b81a747f7e757e03d0c4d2e20822d7f52bf5

SHA256
9f2a59a60e65fbcd5a3e1b7248adf92890ce3a32b19e43fb4751c2657196de13

SHA512
4becf1bca4f0375aa0262b27fd05d35c8868d0d79b2ead2d815eb3caff11a913516e7b9461094d9a0b61b33d6995c3947681222f35e93322862d2675bbab1a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_WxqDNbBr.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_XYRWpcv.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_YCMiIaX.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_aTTMDa.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_ealEO.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_exVwj.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_hDlvvitn.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_hSwncd.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_jvpwGBYV.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_mcoUBWPjz.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_tXCHKGg.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_thdMEUhM.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_ugRaMkIIL.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_vXpYvGE.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_vlhHRbb.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_ytMKkfd.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tik_ziXbtOFPf.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBA52EFBEDF2040A2BB4E7DEB4B4C23B0.TMP

Filesize
812B

MD5
b6b4517d5e2a813be285ce045d5c319b

SHA1
1c8d4ed7ef38b48415e730439a58a5dfbcd357dc

SHA256
0e8d2ab64ce38c337fafee77e288a26534307e889df71e20476a117375091b93

SHA512
2b4c2fe2652b2614d3ea1c6642cff9a6f4e06d2b764ca869a0ef2a8ddd3e91c641fa158536cba73760298898dc790528e0a69f16a235e3c6c334a3ffca37c538

Download Submit
memory/1380-133-0x00007FFD3B630000-0x00007FFD3C066000-memory.dmp

Filesize
10.2MB

Download
memory/3416-144-0x00007FFD3B630000-0x00007FFD3C066000-memory.dmp

Filesize
10.2MB

Download