06aa393ec4cef895ebbf9923200f9f5d71df6ae27f091004c89176a92825014f

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
Size

1.8MB
MD5

737a01de80632b31c202d99dc292888a
SHA1

5605e5c949c9e7565d1b6df783dfa1a990ce9b8a
SHA256

06aa393ec4cef895ebbf9923200f9f5d71df6ae27f091004c89176a92825014f
SHA512

4aa29c369c6462337ed713c00fdff66cc4dcf5e7ba4a5ba1097f1a5bf0ace6d94b4128a3db7824cde511b81b9193243447de261504dee6c1b860e4d8aaf29c60
SSDEEP

24576:0rMMUKDlavjUEQElhcjUuS+kQ0LaSA8o19MNMeE5GKSL1hCGjOFCYzfCADRXriJe:0rMMLlavoRkQb8CuMebPbNYR2iuK/

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 8 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0009000000023400-31.dat	acprotect
behavioral2/memory/4912-114-0x00000000021B0000-0x00000000021BA000-memory.dmp	acprotect
behavioral2/memory/4912-106-0x00000000021B0000-0x00000000021BA000-memory.dmp	acprotect
behavioral2/memory/4912-105-0x00000000021B0000-0x00000000021BA000-memory.dmp	acprotect
behavioral2/memory/4912-75-0x00000000021B0000-0x00000000021BA000-memory.dmp	acprotect
behavioral2/memory/4912-187-0x00000000021B0000-0x00000000021BA000-memory.dmp	acprotect
behavioral2/memory/4912-191-0x00000000021B0000-0x00000000021BA000-memory.dmp	acprotect
behavioral2/memory/4912-193-0x00000000021B0000-0x00000000021BA000-memory.dmp	acprotect

Executes dropped EXE 64 IoCs

pid	Process
3388	RtHelp.exe
1624	RtHelp.exe
3304	Runner.exe
4244	Runner.exe
4672	Runner.exe
4264	Runner.exe
4336	Runner.exe
3508	Runner.exe
3780	Runner.exe
4820	Runner.exe
2548	Runner.exe
5040	Runner.exe
1732	Runner.exe
4760	Runner.exe
372	Runner.exe
4676	Runner.exe
4068	Runner.exe
2256	Runner.exe
336	Runner.exe
1224	Runner.exe
2964	Runner.exe
4248	Runner.exe
2752	Runner.exe
908	Runner.exe
1444	Runner.exe
2012	Runner.exe
1876	Runner.exe
3052	Runner.exe
4924	Runner.exe
232	Runner.exe
1976	Runner.exe
4700	Runner.exe
936	Runner.exe
1340	Runner.exe
2844	Runner.exe
448	Runner.exe
4608	Runner.exe
4896	Runner.exe
4244	Runner.exe
2420	Runner.exe
3656	Runner.exe
1224	Runner.exe
2964	Runner.exe
4248	Runner.exe
2692	Runner.exe
1612	Runner.exe
3024	Runner.exe
2676	Runner.exe
5032	Runner.exe
1152	Runner.exe
1880	Runner.exe
396	Runner.exe
2108	Runner.exe
2780	Runner.exe
1448	Runner.exe
984	Runner.exe
4144	Runner.exe
4536	Runner.exe
1744	Runner.exe
5000	Runner.exe
5092	Runner.exe
4244	Runner.exe
216	Runner.exe
3656	Runner.exe

Loads dropped DLL 64 IoCs

pid	Process
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
3388	RtHelp.exe
3388	RtHelp.exe
3388	RtHelp.exe
3388	RtHelp.exe
3388	RtHelp.exe
3388	RtHelp.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
1624	RtHelp.exe
1624	RtHelp.exe
1624	RtHelp.exe
1624	RtHelp.exe
1624	RtHelp.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
3304	Runner.exe
3304	Runner.exe
3304	Runner.exe
3304	Runner.exe
3304	Runner.exe
3304	Runner.exe
4244	Runner.exe
4244	Runner.exe
4244	Runner.exe
4244	Runner.exe
4244	Runner.exe
4672	Runner.exe
4672	Runner.exe
4672	Runner.exe
4672	Runner.exe
4672	Runner.exe
4264	Runner.exe
4264	Runner.exe
4264	Runner.exe
4264	Runner.exe
4264	Runner.exe
4336	Runner.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023400-31.dat	upx
behavioral2/memory/4912-114-0x00000000021B0000-0x00000000021BA000-memory.dmp	upx
behavioral2/memory/4912-106-0x00000000021B0000-0x00000000021BA000-memory.dmp	upx
behavioral2/memory/4912-105-0x00000000021B0000-0x00000000021BA000-memory.dmp	upx
behavioral2/memory/4912-75-0x00000000021B0000-0x00000000021BA000-memory.dmp	upx
behavioral2/memory/4912-187-0x00000000021B0000-0x00000000021BA000-memory.dmp	upx
behavioral2/memory/4912-191-0x00000000021B0000-0x00000000021BA000-memory.dmp	upx
behavioral2/memory/4912-193-0x00000000021B0000-0x00000000021BA000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	RtHelp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RtHelp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4544	4912	WerFault.exe	81
4508	4912	WerFault.exe	81
908	2580	WerFault.exe	201

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 3388	4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe	82
PID 4912 wrote to memory of 3388	4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe	82
PID 4912 wrote to memory of 3388	4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe	82
PID 4912 wrote to memory of 1624	4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe	83
PID 4912 wrote to memory of 1624	4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe	83
PID 4912 wrote to memory of 1624	4912	737a01de80632b31c202d99dc292888a_JaffaCakes118.exe	83
PID 3304 wrote to memory of 4244	3304	Runner.exe	92
PID 3304 wrote to memory of 4244	3304	Runner.exe	92
PID 3304 wrote to memory of 4244	3304	Runner.exe	92
PID 3304 wrote to memory of 4672	3304	Runner.exe	94
PID 3304 wrote to memory of 4672	3304	Runner.exe	94
PID 3304 wrote to memory of 4672	3304	Runner.exe	94
PID 3304 wrote to memory of 4264	3304	Runner.exe	99
PID 3304 wrote to memory of 4264	3304	Runner.exe	99
PID 3304 wrote to memory of 4264	3304	Runner.exe	99
PID 3304 wrote to memory of 4336	3304	Runner.exe	100
PID 3304 wrote to memory of 4336	3304	Runner.exe	100
PID 3304 wrote to memory of 4336	3304	Runner.exe	100
PID 3304 wrote to memory of 3508	3304	Runner.exe	101
PID 3304 wrote to memory of 3508	3304	Runner.exe	101
PID 3304 wrote to memory of 3508	3304	Runner.exe	101
PID 3304 wrote to memory of 3780	3304	Runner.exe	103
PID 3304 wrote to memory of 3780	3304	Runner.exe	103
PID 3304 wrote to memory of 3780	3304	Runner.exe	103
PID 3304 wrote to memory of 4820	3304	Runner.exe	107
PID 3304 wrote to memory of 4820	3304	Runner.exe	107
PID 3304 wrote to memory of 4820	3304	Runner.exe	107
PID 3304 wrote to memory of 2548	3304	Runner.exe	110
PID 3304 wrote to memory of 2548	3304	Runner.exe	110
PID 3304 wrote to memory of 2548	3304	Runner.exe	110
PID 3304 wrote to memory of 5040	3304	Runner.exe	111
PID 3304 wrote to memory of 5040	3304	Runner.exe	111
PID 3304 wrote to memory of 5040	3304	Runner.exe	111
PID 3304 wrote to memory of 1732	3304	Runner.exe	112
PID 3304 wrote to memory of 1732	3304	Runner.exe	112
PID 3304 wrote to memory of 1732	3304	Runner.exe	112
PID 3304 wrote to memory of 4760	3304	Runner.exe	113
PID 3304 wrote to memory of 4760	3304	Runner.exe	113
PID 3304 wrote to memory of 4760	3304	Runner.exe	113
PID 3304 wrote to memory of 372	3304	Runner.exe	114
PID 3304 wrote to memory of 372	3304	Runner.exe	114
PID 3304 wrote to memory of 372	3304	Runner.exe	114
PID 3304 wrote to memory of 4676	3304	Runner.exe	115
PID 3304 wrote to memory of 4676	3304	Runner.exe	115
PID 3304 wrote to memory of 4676	3304	Runner.exe	115
PID 3304 wrote to memory of 4068	3304	Runner.exe	116
PID 3304 wrote to memory of 4068	3304	Runner.exe	116
PID 3304 wrote to memory of 4068	3304	Runner.exe	116
PID 3304 wrote to memory of 2256	3304	Runner.exe	117
PID 3304 wrote to memory of 2256	3304	Runner.exe	117
PID 3304 wrote to memory of 2256	3304	Runner.exe	117
PID 3304 wrote to memory of 336	3304	Runner.exe	118
PID 3304 wrote to memory of 336	3304	Runner.exe	118
PID 3304 wrote to memory of 336	3304	Runner.exe	118
PID 3304 wrote to memory of 1224	3304	Runner.exe	119
PID 3304 wrote to memory of 1224	3304	Runner.exe	119
PID 3304 wrote to memory of 1224	3304	Runner.exe	119
PID 3304 wrote to memory of 2964	3304	Runner.exe	120
PID 3304 wrote to memory of 2964	3304	Runner.exe	120
PID 3304 wrote to memory of 2964	3304	Runner.exe	120
PID 3304 wrote to memory of 4248	3304	Runner.exe	121
PID 3304 wrote to memory of 4248	3304	Runner.exe	121
PID 3304 wrote to memory of 4248	3304	Runner.exe	121
PID 3304 wrote to memory of 2752	3304	Runner.exe	123

C:\Users\Admin\AppData\Local\Temp\737a01de80632b31c202d99dc292888a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\737a01de80632b31c202d99dc292888a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\AppData\Local\Temp\4F970D0A-7470-C847-8925-ED4D03FED33A\RtHelp.exe
  "C:\Users\Admin\AppData\Local\Temp\4F970D0A-7470-C847-8925-ED4D03FED33A\RtHelp.exe" --InstSupp --Supp 500 --Ver 180
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3388
- C:\Users\Admin\AppData\Local\Temp\4F970D0A-7470-C847-8925-ED4D03FED33A\RtHelp.exe
  "C:\Users\Admin\AppData\Local\Temp\4F970D0A-7470-C847-8925-ED4D03FED33A\RtHelp.exe" --PreCheck 500 --Uid 2B5A6FC409A67B43876920A0870B4BA2 --Ver 180
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  PID:1624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 608
  2⤵
  - Program crash
  PID:4544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 888
  2⤵
  - Program crash
  PID:4508
- C:\Users\Admin\AppData\Local\Temp\nsf3551.tmp
  "C:\Users\Admin\AppData\Local\Temp\nsf3551.tmp" /S _?=C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 612
    3⤵
    - Program crash
    PID:908
- - C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
    "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --Uninstall
    3⤵
    PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4912 -ip 4912
1⤵
PID:2844

C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4244
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4672
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4264
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4336
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:4336
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:652
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:3940
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:2152
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:2752
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:908
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:1504
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:1644
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:4748
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:3628
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:3076
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:2812
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:4780
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:2008
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:1732
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:1196
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:2184
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:2256
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:2396
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:316
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:4752
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:3788
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:1724
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:216
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:4976
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:3884
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:2944
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:1980
- C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe
  "C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ARQB4AHAAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADQARgAxAEIAMwAzAEQAMwAtAEMANQA3AEEALQA0AEMANAAyAC0AQQAzADgAQgAtAEEANAAzADYANABBAEMAOAA4ADEARQAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
  2⤵
  PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4912 -ip 4912
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2580 -ip 2580
1⤵
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Modules\cdp.dll

Filesize
91KB

MD5
2f369f9928242f730d3cf48678158111

SHA1
f31361fb3ed6f6654ad921cdc59786df4c10885a

SHA256
a056ad6496931b0c0a9405cf4f7a34db68c3b78b30d4907f9472994b836ea022

SHA512
c22c479183f66b65e1cf5b7ed75e30f18db5fd7f6427c04385990d181c53216df33994f296ed235357cc0f22e4d437e97983f910ec67fc7e52fe48fafbbebabe

Download Submit
C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Modules\nvs.dll

Filesize
90KB

MD5
ce70e808b2bcdf50f9fec5a965503af8

SHA1
d8168523669f119d3e603f9569078e36362680f4

SHA256
3a35ed22fe448967d3bbb5ac16710f755760f2a083f05b22884abe811d688039

SHA512
2449dc3716362a1a572fbf7f9472ec0d975dca07cd6d4a7cf50c72c62f9ace9a6d9f7f7f3702dcf32a8bbe81b3f38c3248ac98709d3b4f26d329a6f0f7fb770c

Download Submit
C:\Users\Admin\AppData\Local\4F1B33D3-C57A-4C42-A38B-A4364AC881E0\Update\ExtPkg0

Filesize
122B

MD5
63bfc22e886a88b4a7ad8bb9f6ae7cb4

SHA1
fb11f297b81cd271d92a7d9636b2359691709709

SHA256
782ac03b708653aec3db845a028fcb89f68ebfc3242bf6402116d9749ad86a0d

SHA512
47d73ca7e0d36a00e00f7d311abe57b38803d5f30522d75d7a369fdf802c2f893aaa47d3795e8681d91d0b6b914725f709681de4ac810acd1a1923a36e9da6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F970D0A-7470-C847-8925-ED4D03FED33A\Modules\clc.dll

Filesize
111KB

MD5
68ec32cf0860c9db2f668964a928c913

SHA1
3949cd9177b93bc4ad76fdaf8bc2eb2252802972

SHA256
f1107b54b4cbbfbd7a894226317918f5aadafd56c65ea255c81facdc539b88be

SHA512
267bf7498638c7a062e617b44b0eed61df441ea3ea4efb7cded47c062d903d084594797be5a9ccc783a5fd50f84799a2f33afda03cfff731b0e7c215b649f18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F970D0A-7470-C847-8925-ED4D03FED33A\Modules\crm.dll

Filesize
104KB

MD5
d925422843f1e14f6504456764219367

SHA1
493c1992685c7413a9497aab830175ba92b1f80e

SHA256
ec27c6987d403bb31df794b47060fe707bca85c058ecb62b8a6ec9ab35de2c06

SHA512
9a510d68428c05f63cad243ba43a954fd595f57e2e88dddd0bf79094d19fb80ef9a71803cf635160bc88f4632176c330dadfef04681cff24fdba67732d1f9a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F970D0A-7470-C847-8925-ED4D03FED33A\Modules\wis.dll

Filesize
42KB

MD5
875b93e5075b75fba8b080c578e9170c

SHA1
3e04baed759bafcf80a3edc7f16054739ceb1972

SHA256
3a942e2bfd313ecdbd48ebe05653b50d904f9b1dc30c86067446885a8d01dff7

SHA512
54c008a278de9fe898cc661393df22b62be9dddd31ab910e311a52ab7035b93949baeba7ff4fc40371061bdc6d9ac9ebc6dc5cd6e31050b44964e172162f6b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F970D0A-7470-C847-8925-ED4D03FED33A\RtHelp.exe

Filesize
334KB

MD5
cdda1f88ec6c73e0f71a4549121165f9

SHA1
b4736704971dd67d904d3664772c815888d60d03

SHA256
0946e5e56039b750820fad2169e66ffe31a5a0d93fc17734948c40f9ef147c43

SHA512
e72c718fe4f0786d171ebc2daf1402667cf380e88877b5675ac782ec22e1b643a4b19b39e193c9002674f2ced61d22de0a7a4f8db9a621fe61534be28fc28775

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F970D0A-7470-C847-8925-ED4D03FED33A\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F970D0A-7470-C847-8925-ED4D03FED33A\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5073.tmp\System.dll

Filesize
11KB

MD5
3e6bf00b3ac976122f982ae2aadb1c51

SHA1
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

SHA256
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

SHA512
1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5073.tmp\UpdHelper.dll

Filesize
130KB

MD5
bb40f596eab5c6598d320677b1731d62

SHA1
2c3f547355e07ba6585d955237a35e1125173028

SHA256
8b972cd7532648027a533330481a6fed08f70718b31396ddf6579519e862b169

SHA512
a2b6757d82bc9ad02516ab83b31c81c310cefc04ffe8ba1937febe44da2e9786a093fba21f6ed412403acde404a6684f7c2ad7f7696c03379fde9d3aee19b436

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5073.tmp\md5dll.dll

Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
memory/4912-102-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-117-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-120-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-119-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-116-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-115-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-114-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-108-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-106-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-105-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-122-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-99-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-75-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-118-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-123-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-124-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-125-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-121-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-187-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-188-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-191-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-200-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-199-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-198-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-197-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-196-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-195-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-194-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-193-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-192-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-203-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-207-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-206-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-205-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/4912-204-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download