hive | db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e

Resubmissions

30-11-2021 13:37

211130-qxasbsacb8 10

30-11-2021 13:35

211130-qvmzwafagn 10

30-11-2021 13:31

211130-qstpmsfafq 10

Analysis

max time kernel
392s
max time network
371s
platform
windows10_x64
resource
win10-en-20211104
submitted
30-11-2021 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
Size

2.5MB
MD5

6c1665d8f03efdc96991956f4d7f310d
SHA1

bbbb0836a9f0d2525539d65669d35d8e528f96d1
SHA256

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e
SHA512

c633c67c5a8e2b5c856027475d0d0bb2075a6b2d54486e080c737d4dce7a71ffbd83acddcf60dc53854e72b91bf05e25c1e02a55fbd0b93ca66b61691d5b96b7

Score

10^/10

hive persistence ransomware spyware stealer

Malware Config

Signatures

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Drivers directory 14 IoCs

Processes:

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\MountDebug.png => C:\Users\Admin\Pictures\MountDebug.png.NovpPmra8IYMlg54m8SqjwHH1JQj1otpNi0GIUfgPwM.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Pictures\MountDebug.png.NovpPmra8IYMlg54m8SqjwHH1JQj1otpNi0GIUfgPwM.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File renamed	C:\Users\Admin\Pictures\RepairConnect.crw => C:\Users\Admin\Pictures\RepairConnect.crw.NovpPmra8IYMlg54m8Sqj4aVMBQX_Ossd12B92fHfho.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Pictures\RepairConnect.crw.NovpPmra8IYMlg54m8Sqj4aVMBQX_Ossd12B92fHfho.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File renamed	C:\Users\Admin\Pictures\ResolveMeasure.raw => C:\Users\Admin\Pictures\ResolveMeasure.raw.NovpPmra8IYMlg54m8Sqj6v9hqurwVV37SyTRjFnIgE.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveMeasure.raw.NovpPmra8IYMlg54m8Sqj6v9hqurwVV37SyTRjFnIgE.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Drops startup file 4 IoCs

Processes:

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.NovpPmra8IYMlg54m8SqjwV3k18wdAEuHpHNyIzioCs.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1042495040-510797905-2613508344-1000\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

description ioc process

File opened (read-only) \??\D:

description	ioc	process
File opened (read-only)	\??\D:

Drops file in System32 directory 64 IoCs

Processes:

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Com\ja-JP\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnfxcl2.inf_amd64_f26eeb7da72ee32b\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\en-US\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\en-US\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\de-DE\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\Licenses\neutral\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhpcl4.inf_amd64_9412589272562044\amd64\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\Speech\Engines\SR\en-US\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\en\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_c82335b6cfcf830c\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\en-US\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mbtr8897w81x64.inf_amd64_fd074d03451ecbb5\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_22792b9c3ed77544\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\ja-JP\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\sl-SI\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\DiagSvcs\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_fdc.inf_amd64_f74caef313011915\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdminfot.inf_amd64_1fdfa80956d76f96\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_36d7b29d619a4ac6\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaep003.inf_amd64_c58a04f11ce74cd7\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\tr-TR\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmetech.inf_amd64_c43f26cff0f4b40c\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\slmgr\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\ja-JP\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\fr-FR\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\arcsas.inf_amd64_5f236fef4b16ceac\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcpq2.inf_amd64_7af589c3bb13056c\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\bg-BG\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmhaeu.inf_amd64_79e9bf8e86fe4c7a\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_d2ca514cf72a9a18\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wsdscdrv.inf_amd64_bab2522375bff9e1\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0012\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\fr-FR\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SecureBoot\de-DE\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_e15abe7d25aa2071\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\en\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\oobe\en-US\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmarch.inf_amd64_e39045a84bf729cf\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_74965e869fab271a\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_9b48be32f09b1fb6\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\de-DE\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmhrtz.inf_amd64_93ec10166bc1a0df\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj7.inf_amd64_ffbcef18ed58fdf5\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tape.inf_amd64_5a552c4209011069\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\fr-FR\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\DriverStore\FileRepository\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\ja-JP\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_68d37c01f27b5d51\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\Configuration\Registration\MSFT_FileDirectoryConfiguration\fr-FR\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8187bv64.inf_amd64_bc859d32f3e2f0d5\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\Configuration\BaseRegistration\ja-JP\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\Volume\Professional\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\v_mscdsc.inf_amd64_9e2522234c3c6b25\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbug3.inf_amd64_b70af81d635ecc4b\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Drops file in Program Files directory 64 IoCs

Processes:

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-conio-l1-1-0.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png.NovpPmra8IYMlg54m8Sqj51vgOdVI3Rvcfi8kikqSVk.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\ui-strings.js.NovpPmra8IYMlg54m8Sqj7Xpnk-SEZ1Vn2M9k-QJyy8.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\ja-JP\mshwLatin.dll.mui.NovpPmra8IYMlg54m8Sqj4G1pg0JmpJe8zJk0adcyGU.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\JitV.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json.NovpPmra8IYMlg54m8Sqj4SWmJblEm9D_DexSRprgCU.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe.NovpPmra8IYMlg54m8Sqj-xIjnrmb6wjqmRsBBEkMG4.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.tree.dat	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-24.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner.gif	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Program Files\Windows Multimedia Platform\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\THMBNAIL.PNG	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Core.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansDemiBold.ttf.NovpPmra8IYMlg54m8Sqj_3B7KmTNstV4XTitqpr5Ws.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msador15.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif.NovpPmra8IYMlg54m8Sqjz0PYYRFA6dzf3IB8XwyRiE.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_removeme-default_18.svg.NovpPmra8IYMlg54m8SqjyjaoXvuyOlo9_VQjcJBhEw.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-100.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner_mini.gif	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl.NovpPmra8IYMlg54m8SqjyV7Kym4jMoqNji3tN7Clys.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gr_60x42.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.NovpPmra8IYMlg54m8SqjymO7uF5CVF4zY1KQ0u83wQ.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\en-gb\onenote_whatsnew.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OARTODF.DLL.NovpPmra8IYMlg54m8Sqj9yCBm5PPaY5F2tJbRIgpD0.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Go_for_the_Bronze_Unearned_small.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.NovpPmra8IYMlg54m8SqjzXbEyvZFhsA-G9HKxq7n38.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\ui-strings.js	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Design.Resources.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\hijrah-config-umalqura.properties.NovpPmra8IYMlg54m8SqjyT6ryJEci9ulxqENXf3YHk.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar.NovpPmra8IYMlg54m8Sqj96t7243neA7KQL-jB4irSk.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5311_24x24x32.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-200.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left-pressed.gif	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\ui-strings.js	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x86__8wekyb3d8bbwe\AppxSignature.p7x	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_contrast-black.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GKWord.dll.NovpPmra8IYMlg54m8Sqj86gYNbK8pYqKV1Jv7okvnc.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\currency.data.NovpPmra8IYMlg54m8SqjxBiVFLv9fw7E89uRpqIujk.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar.NovpPmra8IYMlg54m8Sqjw6wTnyG81BVMt9BOKYmrGY.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe.NovpPmra8IYMlg54m8SqjyzMvJ2q9AAXZv-7Ytg90wM.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PeopleLargeTile.scale-125.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PSGet.Resource.psd1	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Drops file in Windows directory 64 IoCs

Processes:

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

description	ioc	process
File created	C:\Windows\INF\RemoteAccess\0409\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-font-truetype-yibaiti_31bf3856ad364e35_10.0.15063.0_none_69559982f36cf9b2\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-grpconv_31bf3856ad364e35_10.0.15063.0_none_b39bfe17767c9267\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_netfx4-cfx_extended_sql_files_b03f5f7f11d50a3a_4.0.14917.0_none_8f3a6789585f9316\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\msil_multipoint-wmsmanager.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_b2995d25c993a9a8\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00000405_31bf3856ad364e35_10.0.15063.0_none_0470c48ed0434709\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\de\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_wgencounter.inf.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_947ba42526d87009\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..acysnapin.resources_31bf3856ad364e35_10.0.15063.0_en-us_d2e7e5c3ffc08428\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-cdosys.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_14885481b08bbaf1\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-i..egacyshim.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_0739b56656c9cbaa\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_dual_c_dot4print.inf_31bf3856ad364e35_10.0.15063.0_none_6ac7bfc9dbd7c994\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..elmanifests-onecore_31bf3856ad364e35_10.0.15063.0_none_fe142887187e5ff9\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-wpd-shellextension_31bf3856ad364e35_10.0.15063.0_none_c61e2a60473afa97\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-svsvc_31bf3856ad364e35_10.0.15063.0_none_72c9aed4aea63e11\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_netfx4-uiautomationclient.resources_b03f5f7f11d50a3a_4.0.14917.0_fr-fr_3982909d661cd06c\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..anagement.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_bd9c23dc26511e71\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..orerframe.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_070f5c9f1e6a65dc\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_netfx-system.windows.forms_b03f5f7f11d50a3a_10.0.15063.0_none_6865cff75b22dc57\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Services\3.5.0.0__b77a5c561934e089\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..laytomenu.resources_31bf3856ad364e35_10.0.15063.0_de-de_a694510cc368ed39\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-icm-ui_31bf3856ad364e35_10.0.15063.0_none_4b6c90a3d99e2006\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_netfx4-microsoft.ac..ies.build.resources_b03f5f7f11d50a3a_4.0.14917.0_ja-jp_b10d4336084d74c2\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-setupcl.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_4de58d6e12bfa5e0\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_dc8637dc3b6cd3bb\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_de-de_36043fc5ada66c50\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_netfx4-system.web.resources_b03f5f7f11d50a3a_4.0.14917.0_fr-fr_e48e4b8ec1e082cf\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..learnmore.resources_31bf3856ad364e35_10.0.15063.0_de-de_2c3e6576e88b4496\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_netfx4-system.io_b03f5f7f11d50a3a_4.0.14917.0_none_03090163813e92b5\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-choice.resources_31bf3856ad364e35_10.0.15063.0_en-us_2609447189e27c28\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-cpfilters.resources_31bf3856ad364e35_10.0.15063.0_en-us_39c63b9a6576974d\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_bg-bg_7fe70d284c85fc03\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..lperclass.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_99d7cdc9afed8215\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_netwew01.inf.resources_31bf3856ad364e35_10.0.15063.0_de-de_b0872f5e9a892cfd\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.15063.0_none_7b1daf1c87eb47d6\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-cloudfiles-apilibrary_31bf3856ad364e35_10.0.15063.0_none_3e2d02820cc80fdc\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..oxy-extension-agent_31bf3856ad364e35_10.0.15063.0_none_89bd0403cac17aae\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..ment-core.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_04212a95f3535cee\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-photoviewer.resources_31bf3856ad364e35_10.0.15063.0_en-us_d45401b3b6bbbb09\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c...appxmain.resources_31bf3856ad364e35_10.0.15063.0_th-th_670d21b329935e03\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-onex.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_105893bd6d3cc93e\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\msil_microsoft-windows-smcsnapin.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_858625d3b8ba06ec\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\wow64_hid-dll.resources_31bf3856ad364e35_10.0.15063.0_en-us_3344e9f9a281ea1b\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-c..ckagingom.resources_31bf3856ad364e35_10.0.15063.0_de-de_452e8bd0bcf8d6c3\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-basic-misc-tools_31bf3856ad364e35_10.0.15063.0_none_287090a9f83a48df\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-dot3helperclass_31bf3856ad364e35_10.0.15063.0_none_3410abdec6ec21ee\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-ncdprop.resources_31bf3856ad364e35_10.0.15063.0_de-de_9348b1a128fb2180\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-secinit.resources_31bf3856ad364e35_10.0.15063.0_de-de_88cf5ca827306e37\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\Media\Calligraphy\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.15063.0_en-us_2a63a593fb9ef60c\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wsp-fileserver_31bf3856ad364e35_10.0.15063.0_none_54ab4c6277f1fe01\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-systemcpl.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_45ec74d99c2e91e1\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_netfx4-system.xml.linq.resources_b03f5f7f11d50a3a_4.0.14917.0_de-de_3d80984d2ed8ad5c\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..pprov-dll.resources_31bf3856ad364e35_10.0.15063.0_en-us_06e30560678f8aa8\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.15063.0_none_743f61cd695d2779\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-rasgetconnectedwizard_31bf3856ad364e35_10.0.15063.0_none_ef091c464ca95e4a\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.15063.0_none_8527167b4aa01897\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_netfx4-system.data.entity_b03f5f7f11d50a3a_4.0.14917.0_none_e5e5d8b0ce202f1a\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_rspndr.inf.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_74823acf8c795b0d\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmadmod_31bf3856ad364e35_10.0.15063.0_none_9762c47656c6caeb\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..andgroups.resources_31bf3856ad364e35_10.0.15063.0_de-de_1fa3a92e31326787\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\msil_system.web.extensions_31bf3856ad364e35_4.0.14917.0_none_38c7b54800b1ba60\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-ldifde.resources_31bf3856ad364e35_10.0.15063.0_en-us_96d4a085f8f29417\HOW_TO_DECRYPT.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Program crash 3 IoCs

Processes:

pid pid_target process target process

4268 3460
3172 2060
3368 4524

pid	pid_target	process	target process
4268	3460
3172	2060
3368	4524

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
608
3812
3112
3104
3092
4796
3128
3936
1716	timeout.exe
4104	timeout.exe
1700
540
396
3892
4812
2248
4560
1708
4500
4824
4324
3824
932
4704
1668
2096
3516
3720	timeout.exe
3244
1292
2244
1644
3648
2644
2148
4116	timeout.exe
1716	timeout.exe
2072	timeout.exe
4660
1928
3892
3452
3860
1884	timeout.exe
4560
3924
2828
3560
2732
4460	timeout.exe
2840
2144
3892
4156
1900
3004
2720	timeout.exe
2900	timeout.exe
4828
4756
4328
5088
652
4836

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3648 vssadmin.exe

pid	process
3648	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"

Modifies registry class 30 IoCs

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132805259250849572"
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e5070b004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000001686c613f0e5d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e5070b004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000026905413f0e5d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e5070b004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000006d89a44aed1d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

pid process

1332

pid	process
1332

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

pid	process
3564	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
3564	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
4268
4268
4268
4268
4268
4268
4268
4268
4268
4268
4268
4268
4268
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2088

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exe

description	pid	process
Token: SeBackupPrivilege	4172	vssvc.exe
Token: SeRestorePrivilege	4172	vssvc.exe
Token: SeAuditPrivilege	4172	vssvc.exe
Token: SeDebugPrivilege	4268
Token: SeDebugPrivilege	3172
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeDebugPrivilege	3368
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeTakeOwnershipPrivilege	2004
Token: SeRestorePrivilege	2004
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088
Token: SeShutdownPrivilege	2088
Token: SeCreatePagefilePrivilege	2088

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

pid	process
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088

Suspicious use of SendNotifyMessage 43 IoCs

Processes:

pid	process
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088
2088

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

pid process

3152
3572
3152

pid	process
3152
3572
3152

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.execmd.execmd.exe

description	pid	process	target process
PID 3564 wrote to memory of 764	3564	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	cmd.exe
PID 3564 wrote to memory of 764	3564	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	cmd.exe
PID 3564 wrote to memory of 764	3564	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	cmd.exe
PID 3564 wrote to memory of 696	3564	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	cmd.exe
PID 3564 wrote to memory of 696	3564	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	cmd.exe
PID 3564 wrote to memory of 696	3564	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	cmd.exe
PID 764 wrote to memory of 3212	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 3212	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 3212	764	cmd.exe	timeout.exe
PID 696 wrote to memory of 3648	696	cmd.exe	vssadmin.exe
PID 696 wrote to memory of 3648	696	cmd.exe	vssadmin.exe
PID 696 wrote to memory of 3648	696	cmd.exe	vssadmin.exe
PID 764 wrote to memory of 4584	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 4584	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 4584	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 2944	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 2944	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 2944	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 592	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 592	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 592	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 860	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 860	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 860	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1020	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1020	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1020	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1064	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1064	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1064	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1144	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1144	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1144	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1304	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1304	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1304	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1376	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1376	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1376	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1552	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1552	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1552	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1612	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1612	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1612	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1712	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1712	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1712	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1860	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1860	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1860	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1948	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1948	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1948	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 2064	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 2064	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 2064	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 2172	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 2172	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 2172	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 2348	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 2348	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 2348	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 2480	764	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
"C:\Users\Admin\AppData\Local\Temp\db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3212

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4584

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2944

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:592

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:860

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1020

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1064

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1144

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1304

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1376

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1552

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1612

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1712

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1860

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1948

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2064

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2172

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2348

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2480

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2628

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2624

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2660

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3116

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3808

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4452

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2092

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4016

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2212

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4868

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4904

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1252

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4940

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4968

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5012

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2036

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2888

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4912

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4980

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4636

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4656

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4616

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4332

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4328

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4612

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5100

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2832

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:372

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5116

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1028

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2416

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:692

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3520

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5088

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2996

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4728

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4988

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1448

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2336

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2332

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1292

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1196

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1400

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2384

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1724

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2300

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1644

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1900

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2116

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3012

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2080

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4528

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2200

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2680

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3220

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3060

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4292

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3108

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1464

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4820

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5024

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1468

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:836

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1620

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2284

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2260

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3472

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3160

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3556

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3720

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3184

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3088

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2560

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3604

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4508

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2180

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4128

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5072

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3768

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3888

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3996

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4036

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3880

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3052

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3752

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3784

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3128

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3780

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3056

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4116

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3244

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:660

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4296

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4288

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:592

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3216

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:924

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:420

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1060

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1184

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1144

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1332

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3832

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1560

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1624

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1716

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1856

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1960

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2004

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2140

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2064

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2352

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2392

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2452

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2632

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2628

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2640

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2728

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4140

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3116

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3808

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4168

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1772

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4164

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4600

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2212

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4896

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1288

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2604

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4756

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5008

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4968

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1444

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2276

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4916

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4936

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4912

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1476

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4652

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4632

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3300

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4616

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4320

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5048

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4960

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2816

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5100

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2548

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5092

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5112

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:932

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1028

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:392

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:724

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:712

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5044

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5080

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5088

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2756

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4832

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:956

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4988

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1448

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4560

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4592

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1340

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1380

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1408

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4352

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3960

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1724

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2300

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1644

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1900

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2116

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3012

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2080

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4528

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2968

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2680

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3220

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3248

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4292

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3108

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1464

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4820

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5024

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1468

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:836

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1620

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2284

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2260

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3472

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3556

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3720

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3184

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3088

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3176

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3604

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4508

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2180

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4128

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5072

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3768

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3888

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3996

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3064

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3880

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3440

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3752

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3784

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3128

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3780

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3056

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4116

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3032

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3244

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4296

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4288

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:296

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3216

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:924

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:420

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1060

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1184

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1144

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1332

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3832

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1560

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1864

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1624

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1936

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1948

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2156

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2240

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2388

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2348

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2480

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2616

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2644

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2268

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2660

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1736

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3812

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3632

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2796

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2092

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4016

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2244

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4876

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4868

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1256

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1088

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4964

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4996

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1228

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5012

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2188

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2888

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4952

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4980

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4644

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4656

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4816

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4692

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4444

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4948

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4612

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2820

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2544

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4120

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:372

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5092

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5112

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:540

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1028

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:724

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1132

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4144

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4812

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4676

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4824

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4828

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1220

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:968

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:984

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4588

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2324

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1980

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1412

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1400

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4200

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4460

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1700

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1744

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4136

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2100

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1208

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2088

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4524

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3104

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2200

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2724

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4268

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3060

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3820

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4764

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:688

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4512

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3504

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5024

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1912

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2880

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:900

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2104

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3192

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3584

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3592

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4400

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3712

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3208

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3180

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2228

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2164

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5056

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3660

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3772

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3892

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3768

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3884

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4036

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3044

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3052

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3984

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3164

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2716

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2252

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4308

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2944

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:652

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2860

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3696

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3144

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:872

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:860

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:488

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:924

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1152

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1312

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1304

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1532

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1556

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1616

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1708

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1712

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1860

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1936

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2168

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2396

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2392

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2492

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2636

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2652

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2624

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2640

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3476

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4312

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4452

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1772

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4156

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4848

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4892

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4880

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1268

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1252

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4984

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5016

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1976

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2316

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4932

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2904

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4944

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1472

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4628

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4636

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4620

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3824

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4616

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4320

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4300

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5004

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2816

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4572

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1416

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4100

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5104

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5112

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:540

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1028

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:724

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1904

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4144

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4812

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4676

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4824

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2296

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4828

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:968

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:984

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4588

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2324

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1980

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1412

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1400

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4200

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4460

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1700

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1744

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4136

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2100

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1208

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2088

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4524

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3104

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2200

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2724

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4268

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3060

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3820

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4764

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:688

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4512

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3504

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5024

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1912

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2880

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:900

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2104

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3192

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3584

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3592

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2840

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4400

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3208

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3180

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2228

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2164

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4128

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5056

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3772

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3892

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3768

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3884

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4036

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3044

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3052

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3984

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3692

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4440

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3212

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4152

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3152

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:644

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3368

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3648

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4288

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:508

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1020

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1064

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1296

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1324

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1512

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1524

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3716

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1604

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1716

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1928

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1624

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2004

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1948

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2064

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2240

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2352

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2452

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2656

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2632

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2616

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2268

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2660

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1736

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3808

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4108

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2092

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4016

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2244

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4876

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1288

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1256

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1088

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5008

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4996

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:960

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5012

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4916

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2188

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4924

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1472

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4644

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4604

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4324

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4692

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4444

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4948

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4612

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5108

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2544

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2548

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4104

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1396

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:400

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5112

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3224

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:392

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:712

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1132

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5080

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5088

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2756

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1824

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:956

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2320

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3304

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2196

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2720

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2972

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:396

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1380

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2384

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3960

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1628

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2220

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1644

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:976

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4872

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4544

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2204

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4496

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2072

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2900

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2948

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3016

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4148

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4796

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1460

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4820

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1424

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3504

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2712

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:836

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2024

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5084

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3560

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3600

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3192

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3584

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3592

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2380

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3088

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2560

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3276

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3180

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4508

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5052

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3076

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3936

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4024

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3892

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3768

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3064

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3880

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4660

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:756

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3784

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2208

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3780

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3056

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4440

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4152

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3152

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:644

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3368

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3648

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4288

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:508

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1020

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1328

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1064

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1376

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1324

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1524

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3716

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1604

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1716

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1928

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1624

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2248

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2004

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2064

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2240

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2348

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2352

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3468

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2656

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4140

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2616

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2660

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3812

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1736

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4108

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4600

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4016

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1092

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2244

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1288

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1256

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1088

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1228

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5008

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:960

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4936

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5012

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2188

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4980

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4924

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1472

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4644

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4304

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4604

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4692

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4444

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4948

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4612

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5108

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2544

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2548

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4104

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1396

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:400

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5112

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3224

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:392

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:712

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1132

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5080

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5088

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1220

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2756

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:956

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2320

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4592

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2196

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1196

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2720

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:396

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1380

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2384

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3960

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1628

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2220

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1644

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:976

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4872

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2508

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4544

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4496

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2072

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2900

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2948

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3016

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4148

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5032

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1884

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:904

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2504

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3000

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2712

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:836

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2260

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3580

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3556

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3720

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3196

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2380

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3588

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3748

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2808

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4508

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5052

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2748

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4020

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4220

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3996

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1776

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3880

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4548

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:756

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3984

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4584

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2252

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4308

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2944

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:652

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2860

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3696

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3144

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:296

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3216

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1188

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1296

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1372

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1184

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1304

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1532

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1556

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1856

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1708

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1712

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1860

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1728

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2168

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2612

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2400

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2480

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2628

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2652

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2732

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2640

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3476

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1804

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4168

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4452

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1896

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4156

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2312

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4860

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4900

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1268

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4956

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4964

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5020

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5016

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2316

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2036

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4912

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2904

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4648

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3300

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4636

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4816

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4328

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4332

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5048

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5000

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5004

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5100

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1416

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5116

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5104

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:932

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:540

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:672

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:724

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1904

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4144

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4812

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4676

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5060

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2296

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1448

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:968

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3304

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1340

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1244

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1408

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4352

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2308

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2500

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4460

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1924

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1932

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4136

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3012

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2264

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2080

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2668

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2920

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3004

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3816

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4292

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4764

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:688

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1468

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2032

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3480

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5024

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1668

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:900

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3160

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3472

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3192

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3556

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2840

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3184

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3208

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3276

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5076

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2808

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3776

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3756

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3772

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4024

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3892

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3768

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4036

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3044

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3052

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3128

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3164

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3780

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3056

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4440

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3864

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3152

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:644

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3368

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3648

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4288

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:508

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1020

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1328

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1064

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1376

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1324

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1524

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1556

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1856

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1708

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1712

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1860

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1728

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2168

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2612

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2400

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2480

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2628

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2652

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2732

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2640

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3476

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1804

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4168

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4452

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1896

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4848

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4156

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4860

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4900

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1268

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4956

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4964

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5020

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5016

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2316

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2036

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4912

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2904

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4648

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3300

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4636

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4816

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4328

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4332

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5096

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5000

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5004

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5100

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1416

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:348

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5116

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:932

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:540

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:672

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4672

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:724

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4144

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4812

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4676

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4828

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5060

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1448

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4588

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:968

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1980

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1340

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1408

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4352

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2308

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2500

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4460

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1924

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1932

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4136

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3012

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2264

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2080

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2668

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2920

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3004

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3816

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4292

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4764

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:688

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1468

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1912

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2032

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2284

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5024

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:900

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3160

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3472

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3192

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3556

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2840

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3184

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3208

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3276

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5076

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2808

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3776

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3756

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3772

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4024

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3892

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3768

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4036

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3044

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3052

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3128

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3164

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3780

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3056

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4440

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2944

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:824

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:680

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:920

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4296

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:872

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:860

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1020

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:420

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1060

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1312

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1552

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1704

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1864

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1960

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2012

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1948

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2144

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1728

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2396

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2452

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2348

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2632

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2728

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1042495040-510797905-2613508344-1000\desktop.ini
MD5
94cf60009364818d1afc07a75f8dc6dc

SHA1
4564e2379cedd31a343ea57a8c573de2fce2ffd8

SHA256
5dd3ea50b55439f178868f5f8188839c722329b26d23d3d23a245ee6925f172e

SHA512
53d3361c0442ac8f329fda3ca145425c9ed49d70625d7ac2c7fc7f9a7b856dec3c51bc43309d7fc13ef76efda2d4713f5a1556a3c3000e5bc95404649b4d3c07

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.NovpPmra8IYMlg54m8Sqj1SvobNrjJBSPIs0xb31pBE.hive
MD5
969e766afefe5b56428ae76a8583fba8

SHA1
af67fba5ec43ece2b4b24c1406e7d468ea35d96a

SHA256
1794b0c60ade243d6f020dd3153f755ca535ecf76b3e9d455d3decbcb133e99c

SHA512
94c0a5a2bd10949998ffeea4bf1ba30e688ff9c376d1fa38764ee239080960924606949c442dc2b06b6a806c3a02ba607e6d7fcbe323eced0c495dc97e24c135

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.NovpPmra8IYMlg54m8Sqj7H9ZiCC5UFeH_zKVdPepxQ.hive
MD5
54b4efdf694546671670f7027dcbfa4c

SHA1
cd992aa02ccf57b5448bea4578898e826cc3fc41

SHA256
f3a3aaad89a22dc234916dde96bd1b69211ca16b7651408edc310983f47d283e

SHA512
a39857adbf4294df4751ec31004b256f9633d1eb97a91fe66f5ca839e6712af8d4a8ca23d7419b3383a00b30580dd06c89b554654b98d7b9d37e024d17de7ec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db.NovpPmra8IYMlg54m8Sqj4CrRmX9GaMDVVjbBcHE1Cg.hive
MD5
8dd48ce63c3ced5a352df18a6546ad95

SHA1
1c567ce28bb563c399f3b143fa71a8fc3618c7aa

SHA256
21154d6c2e97e52fa7472d5cef9b6d53eb365c1751254a018b2c67980227a468

SHA512
aa5bee0f2ad82e54dce4db6eb060d32b792533fbbfa2f7bc6c70413583dd36c5c81eae3db68c6954ca07d5bba3e1e1d47cb8f6b2f7067ab5bbd109a7963cfa0f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\EWTY79SU\microsoft.windows[1].xml
MD5
bdb5d2d49abc9c72ea8ef4f5e6088b86

SHA1
b257f8c3a587e11bd0d0f12251db7ac8c403559b

SHA256
3a2b1309e48327d2cb027989c6dc1813d6ead4449b77180ac2ca4cbed36c7424

SHA512
408826b29a41a2a0747c24ac3e4965acbf503797bf06af6f50ba91340dad954fbf0e42240b9900c42d924b8bccc11fbb18e423bfbebb1b378a0ac7daccdf5b61

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{73d272f5-ad86-4183-af6a-be2680db5cc1}\HOW_TO_DECRYPT.txt
MD5
15118f26e8dcd46530c47a3853d5151c

SHA1
27a1bddd78a1ab15d3119d10cdb8569eeb9984a3

SHA256
7a5e1710b71c712fd54bb19d16498d57f3c6b514b5c1537321e6500f8df83e9f

SHA512
0bb2c880437ca503898ee799d09c308cacff3add1891b1c8d9b8119ad46f7042cf836b58e79e8b6b8fe914e191d4452c94618f60efaaa048739e662a033b25a8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{99c4fd22-72c3-4ed5-8d4f-f6eca2295805}\HOW_TO_DECRYPT.txt
MD5
15118f26e8dcd46530c47a3853d5151c

SHA1
27a1bddd78a1ab15d3119d10cdb8569eeb9984a3

SHA256
7a5e1710b71c712fd54bb19d16498d57f3c6b514b5c1537321e6500f8df83e9f

SHA512
0bb2c880437ca503898ee799d09c308cacff3add1891b1c8d9b8119ad46f7042cf836b58e79e8b6b8fe914e191d4452c94618f60efaaa048739e662a033b25a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hive.bat
MD5
1979b2676fdfa499ba90720950db76d0

SHA1
d96581fdae36e013917ab6192273956cbfdb4111

SHA256
31d13e940ec4af6ed5013faa57e162a9720d2f548292b81a8e0aed3853755031

SHA512
82eaad7d9911790d8de95b806d2c3781e7c3d62f3fd0b4c1f477d4f936647a466afbabd0df7061c6012963efa36ec1e3387e1d3e3227c7a196c875d3ca125bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\shadow.bat
MD5
df5552357692e0cba5e69f8fbf06abb6

SHA1
4714f1e6bb75a80a8faf69434726d176b70d7bd8

SHA256
d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8

SHA512
a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms
MD5
0545e0a717c463965c3c85a70860f19e

SHA1
60e6a1b2418c6a1283fc8522c2d65928477f766a

SHA256
c7987f24956e79111027e687bb712298c01d106ada6202c0bb7f0957a0a5ec29

SHA512
4bbd5107eb14d81ee6f1df84ed190dcaef3fc8fe225fa769bbcf5a53d3bced546b354d720cff3d73c23ddbaed212af04811cef04184599f5c0b2dfa4d36c0953

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
MD5
000c6c16df0ba73fc27e8f75c97bfb64

SHA1
2900fd39a522a71e2c2d91d72a58b2e248c8f44a

SHA256
1607fb5d036a89eff651627ebe043e49d752a945c62c40ce65ddba525258ae5f

SHA512
61da0e7fbf787f646bfe0aa29f67bd26d1637fa161d93325ee8c9be3215a67a4e412fa7b56d711b0758a62d7b8eef98f7d2d70ec5c89bf81d7951c3688bd0cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
MD5
f257ec61c0c6d5c3df8ac8873c175fe6

SHA1
12215e02fe03b56f8b48602aa579b59d8315a571

SHA256
cdf0ceb34f167b68568fdf231b1a98841e30e5534d5bf01abf600159c7eedfc4

SHA512
8e62b3bb436b34b41100f9da7dd7c2c169d3e4e59b03a56fee90a4853051165e7cca81bdae3f3f8e89d3ca86723c1eadb69634431d9a30ab0e6a263f274e16de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.NovpPmra8IYMlg54m8Sqj8pUCKBq1ksGGBMVYLxHsyM.hive
MD5
b53258e2f8c71501d60ecb8429599f8e

SHA1
c5f05461d5d2f04b31429c4a38c971bf64abd3ee

SHA256
ebbb03c6e3106c147c650123a0ad3a308bce2f551960a4948038f4ccd3ff132c

SHA512
4c6bc396aa21a30cab66edb2a5bae92f63a9d980c54122ea57c32f30686de8ada61e1ac5b1569609928c1fcac682f3955415192239cf2dd1c04f464b5f37c559

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECRYPT.txt
MD5
15118f26e8dcd46530c47a3853d5151c

SHA1
27a1bddd78a1ab15d3119d10cdb8569eeb9984a3

SHA256
7a5e1710b71c712fd54bb19d16498d57f3c6b514b5c1537321e6500f8df83e9f

SHA512
0bb2c880437ca503898ee799d09c308cacff3add1891b1c8d9b8119ad46f7042cf836b58e79e8b6b8fe914e191d4452c94618f60efaaa048739e662a033b25a8

Download Submit
memory/372-170-0x0000000000000000-mapping.dmp

Download
memory/592-127-0x0000000000000000-mapping.dmp

Download
memory/608-173-0x0000000000000000-mapping.dmp

Download
memory/692-175-0x0000000000000000-mapping.dmp

Download
memory/696-119-0x0000000000000000-mapping.dmp

Download
memory/764-118-0x0000000000000000-mapping.dmp

Download
memory/860-128-0x0000000000000000-mapping.dmp

Download
memory/1020-129-0x0000000000000000-mapping.dmp

Download
memory/1028-172-0x0000000000000000-mapping.dmp

Download
memory/1064-130-0x0000000000000000-mapping.dmp

Download
memory/1144-131-0x0000000000000000-mapping.dmp

Download
memory/1252-154-0x0000000000000000-mapping.dmp

Download
memory/1292-184-0x0000000000000000-mapping.dmp

Download
memory/1304-132-0x0000000000000000-mapping.dmp

Download
memory/1376-133-0x0000000000000000-mapping.dmp

Download
memory/1448-181-0x0000000000000000-mapping.dmp

Download
memory/1552-134-0x0000000000000000-mapping.dmp

Download
memory/1612-135-0x0000000000000000-mapping.dmp

Download
memory/1712-136-0x0000000000000000-mapping.dmp

Download
memory/1860-137-0x0000000000000000-mapping.dmp

Download
memory/1948-138-0x0000000000000000-mapping.dmp

Download
memory/2036-158-0x0000000000000000-mapping.dmp

Download
memory/2064-139-0x0000000000000000-mapping.dmp

Download
memory/2088-187-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/2092-149-0x0000000000000000-mapping.dmp

Download
memory/2172-140-0x0000000000000000-mapping.dmp

Download
memory/2212-151-0x0000000000000000-mapping.dmp

Download
memory/2332-183-0x0000000000000000-mapping.dmp

Download
memory/2336-182-0x0000000000000000-mapping.dmp

Download
memory/2348-141-0x0000000000000000-mapping.dmp

Download
memory/2416-174-0x0000000000000000-mapping.dmp

Download
memory/2480-142-0x0000000000000000-mapping.dmp

Download
memory/2624-144-0x0000000000000000-mapping.dmp

Download
memory/2628-143-0x0000000000000000-mapping.dmp

Download
memory/2660-145-0x0000000000000000-mapping.dmp

Download
memory/2832-169-0x0000000000000000-mapping.dmp

Download
memory/2888-159-0x0000000000000000-mapping.dmp

Download
memory/2944-126-0x0000000000000000-mapping.dmp

Download
memory/2996-178-0x0000000000000000-mapping.dmp

Download
memory/3116-146-0x0000000000000000-mapping.dmp

Download
memory/3212-122-0x0000000000000000-mapping.dmp

Download
memory/3520-176-0x0000000000000000-mapping.dmp

Download
memory/3648-123-0x0000000000000000-mapping.dmp

Download
memory/3808-147-0x0000000000000000-mapping.dmp

Download
memory/4016-150-0x0000000000000000-mapping.dmp

Download
memory/4328-166-0x0000000000000000-mapping.dmp

Download
memory/4332-165-0x0000000000000000-mapping.dmp

Download
memory/4452-148-0x0000000000000000-mapping.dmp

Download
memory/4584-125-0x0000000000000000-mapping.dmp

Download
memory/4612-167-0x0000000000000000-mapping.dmp

Download
memory/4616-164-0x0000000000000000-mapping.dmp

Download
memory/4636-162-0x0000000000000000-mapping.dmp

Download
memory/4656-163-0x0000000000000000-mapping.dmp

Download
memory/4728-179-0x0000000000000000-mapping.dmp

Download
memory/4868-152-0x0000000000000000-mapping.dmp

Download
memory/4904-153-0x0000000000000000-mapping.dmp

Download
memory/4912-160-0x0000000000000000-mapping.dmp

Download
memory/4940-155-0x0000000000000000-mapping.dmp

Download
memory/4968-156-0x0000000000000000-mapping.dmp

Download
memory/4980-161-0x0000000000000000-mapping.dmp

Download
memory/4988-180-0x0000000000000000-mapping.dmp

Download
memory/5012-157-0x0000000000000000-mapping.dmp

Download
memory/5088-177-0x0000000000000000-mapping.dmp

Download
memory/5100-168-0x0000000000000000-mapping.dmp

Download
memory/5116-171-0x0000000000000000-mapping.dmp

Download