lockergoga | 1da6dea81ae8eae277897e88400a8985e400972784a1106134766750b96ec161

Analysis

max time kernel
81s
max time network
99s
platform
windows7_x64
resource
win7-20220414-en
submitted
03/05/2022, 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockerGoga.exe
Size

1.2MB
MD5

e11502659f6b5c5bd9f78f534bc38fea
SHA1

b5fd5c913de8cbb8565d3c7c67c0fbaa4090122b
SHA256

c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15
SHA512

86c8d4556c9e0b7d60ccbfee430eb322388449506ab515549cb8d2785582671f2dc2d2a3bd9daded9853caa8bf94d9f92603a3bc527172a85dc7a83d701f7fd0

Score

10^/10

lockergoga banker persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Signatures

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\DismountRename.raw => C:\Users\Admin\Pictures\DismountRename.raw.locked	tgytutrc7331.exe
File renamed	C:\Users\Admin\Pictures\LockMove.png => C:\Users\Admin\Pictures\LockMove.png.locked	tgytutrc7331.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 42 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	tgytutrc7331.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	tgytutrc7331.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\gadget.xml	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\RSSFeeds.css	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js	tgytutrc7331.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui	tgytutrc7331.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\setup_wm.exe.mui	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\weather.css	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_sml.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\slideShow.js	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\library.js	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png	tgytutrc7331.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\back.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\localizedSettings.css	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\currency.css	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\drag.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\localizedStrings.js	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\gadget.xml	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\picturePuzzle.html	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_windy.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\currency.css	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\gadget.xml	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\daisies.png	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\cpu.js	tgytutrc7331.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png	tgytutrc7331.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	Explorer.EXE
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	Explorer.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1700	1208	WerFault.exe	8

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_Classes\Local Settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1808	tgytutrc7331.exe
1808	tgytutrc7331.exe
1524	tgytutrc7331.exe
1524	tgytutrc7331.exe
1512	tgytutrc7331.exe
1808	tgytutrc7331.exe
1512	tgytutrc7331.exe
1808	tgytutrc7331.exe
1524	tgytutrc7331.exe
1524	tgytutrc7331.exe
1524	tgytutrc7331.exe
1524	tgytutrc7331.exe
1512	tgytutrc7331.exe
1512	tgytutrc7331.exe
1808	tgytutrc7331.exe
1808	tgytutrc7331.exe
1524	tgytutrc7331.exe
1524	tgytutrc7331.exe
1808	tgytutrc7331.exe
1808	tgytutrc7331.exe
1524	tgytutrc7331.exe
1524	tgytutrc7331.exe
1512	tgytutrc7331.exe
1512	tgytutrc7331.exe
1808	tgytutrc7331.exe
1808	tgytutrc7331.exe
1524	tgytutrc7331.exe
1524	tgytutrc7331.exe
1808	tgytutrc7331.exe
1808	tgytutrc7331.exe
1524	tgytutrc7331.exe
1524	tgytutrc7331.exe
1512	tgytutrc7331.exe
1512	tgytutrc7331.exe
1808	tgytutrc7331.exe
1808	tgytutrc7331.exe
1524	tgytutrc7331.exe
1524	tgytutrc7331.exe
1808	tgytutrc7331.exe
1808	tgytutrc7331.exe
1512	tgytutrc7331.exe
1512	tgytutrc7331.exe
1524	tgytutrc7331.exe
1524	tgytutrc7331.exe
1808	tgytutrc7331.exe
1808	tgytutrc7331.exe
1524	tgytutrc7331.exe
1524	tgytutrc7331.exe
1808	tgytutrc7331.exe
1808	tgytutrc7331.exe
1512	tgytutrc7331.exe
1512	tgytutrc7331.exe
1524	tgytutrc7331.exe
1524	tgytutrc7331.exe
1512	tgytutrc7331.exe
1512	tgytutrc7331.exe
1512	tgytutrc7331.exe
1512	tgytutrc7331.exe
1808	tgytutrc7331.exe
1808	tgytutrc7331.exe
1512	tgytutrc7331.exe
1512	tgytutrc7331.exe
1512	tgytutrc7331.exe
1512	tgytutrc7331.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
556	Explorer.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
836	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	LockerGoga.exe
Token: SeBackupPrivilege	968	LockerGoga.exe
Token: SeRestorePrivilege	968	LockerGoga.exe
Token: SeLockMemoryPrivilege	968	LockerGoga.exe
Token: SeCreateGlobalPrivilege	968	LockerGoga.exe
Token: SeDebugPrivilege	1984	tgytutrc7331.exe
Token: SeBackupPrivilege	1984	tgytutrc7331.exe
Token: SeRestorePrivilege	1984	tgytutrc7331.exe
Token: SeLockMemoryPrivilege	1984	tgytutrc7331.exe
Token: SeCreateGlobalPrivilege	1984	tgytutrc7331.exe
Token: SeDebugPrivilege	1512	tgytutrc7331.exe
Token: SeBackupPrivilege	1512	tgytutrc7331.exe
Token: SeRestorePrivilege	1512	tgytutrc7331.exe
Token: SeLockMemoryPrivilege	1512	tgytutrc7331.exe
Token: SeCreateGlobalPrivilege	1512	tgytutrc7331.exe
Token: SeDebugPrivilege	1524	tgytutrc7331.exe
Token: SeBackupPrivilege	1524	tgytutrc7331.exe
Token: SeRestorePrivilege	1524	tgytutrc7331.exe
Token: SeLockMemoryPrivilege	1524	tgytutrc7331.exe
Token: SeCreateGlobalPrivilege	1524	tgytutrc7331.exe
Token: SeDebugPrivilege	1808	tgytutrc7331.exe
Token: SeBackupPrivilege	1808	tgytutrc7331.exe
Token: SeRestorePrivilege	1808	tgytutrc7331.exe
Token: SeLockMemoryPrivilege	1808	tgytutrc7331.exe
Token: SeCreateGlobalPrivilege	1808	tgytutrc7331.exe
Token: SeDebugPrivilege	1804	tgytutrc7331.exe
Token: SeBackupPrivilege	1804	tgytutrc7331.exe
Token: SeRestorePrivilege	1804	tgytutrc7331.exe
Token: SeLockMemoryPrivilege	1804	tgytutrc7331.exe
Token: SeCreateGlobalPrivilege	1804	tgytutrc7331.exe
Token: SeDebugPrivilege	1836	tgytutrc7331.exe
Token: SeBackupPrivilege	1836	tgytutrc7331.exe
Token: SeRestorePrivilege	1836	tgytutrc7331.exe
Token: SeLockMemoryPrivilege	1836	tgytutrc7331.exe
Token: SeCreateGlobalPrivilege	1836	tgytutrc7331.exe
Token: SeDebugPrivilege	1072	tgytutrc7331.exe
Token: SeBackupPrivilege	1072	tgytutrc7331.exe
Token: SeRestorePrivilege	1072	tgytutrc7331.exe
Token: SeLockMemoryPrivilege	1072	tgytutrc7331.exe
Token: SeCreateGlobalPrivilege	1072	tgytutrc7331.exe
Token: SeDebugPrivilege	952	tgytutrc7331.exe
Token: SeBackupPrivilege	952	tgytutrc7331.exe
Token: SeRestorePrivilege	952	tgytutrc7331.exe
Token: SeLockMemoryPrivilege	952	tgytutrc7331.exe
Token: SeCreateGlobalPrivilege	952	tgytutrc7331.exe
Token: SeDebugPrivilege	560	tgytutrc7331.exe
Token: SeBackupPrivilege	560	tgytutrc7331.exe
Token: SeRestorePrivilege	560	tgytutrc7331.exe
Token: SeLockMemoryPrivilege	560	tgytutrc7331.exe
Token: SeCreateGlobalPrivilege	560	tgytutrc7331.exe
Token: SeDebugPrivilege	1308	tgytutrc7331.exe
Token: SeBackupPrivilege	1308	tgytutrc7331.exe
Token: SeRestorePrivilege	1308	tgytutrc7331.exe
Token: SeLockMemoryPrivilege	1308	tgytutrc7331.exe
Token: SeCreateGlobalPrivilege	1308	tgytutrc7331.exe
Token: SeDebugPrivilege	820	tgytutrc7331.exe
Token: SeBackupPrivilege	820	tgytutrc7331.exe
Token: SeRestorePrivilege	820	tgytutrc7331.exe
Token: SeLockMemoryPrivilege	820	tgytutrc7331.exe
Token: SeCreateGlobalPrivilege	820	tgytutrc7331.exe
Token: SeDebugPrivilege	1924	tgytutrc7331.exe
Token: SeBackupPrivilege	1924	tgytutrc7331.exe
Token: SeRestorePrivilege	1924	tgytutrc7331.exe
Token: SeLockMemoryPrivilege	1924	tgytutrc7331.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE
556	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 836	968	LockerGoga.exe	28
PID 968 wrote to memory of 836	968	LockerGoga.exe	28
PID 968 wrote to memory of 836	968	LockerGoga.exe	28
PID 968 wrote to memory of 836	968	LockerGoga.exe	28
PID 968 wrote to memory of 1984	968	LockerGoga.exe	30
PID 968 wrote to memory of 1984	968	LockerGoga.exe	30
PID 968 wrote to memory of 1984	968	LockerGoga.exe	30
PID 968 wrote to memory of 1984	968	LockerGoga.exe	30
PID 1984 wrote to memory of 1700	1984	tgytutrc7331.exe	42
PID 1984 wrote to memory of 1700	1984	tgytutrc7331.exe	42
PID 1984 wrote to memory of 1700	1984	tgytutrc7331.exe	42
PID 1984 wrote to memory of 1700	1984	tgytutrc7331.exe	42
PID 1984 wrote to memory of 1376	1984	tgytutrc7331.exe	41
PID 1984 wrote to memory of 1376	1984	tgytutrc7331.exe	41
PID 1984 wrote to memory of 1376	1984	tgytutrc7331.exe	41
PID 1984 wrote to memory of 1376	1984	tgytutrc7331.exe	41
PID 1984 wrote to memory of 1708	1984	tgytutrc7331.exe	39
PID 1984 wrote to memory of 1708	1984	tgytutrc7331.exe	39
PID 1984 wrote to memory of 1708	1984	tgytutrc7331.exe	39
PID 1984 wrote to memory of 1708	1984	tgytutrc7331.exe	39
PID 1984 wrote to memory of 1240	1984	tgytutrc7331.exe	36
PID 1984 wrote to memory of 1240	1984	tgytutrc7331.exe	36
PID 1984 wrote to memory of 1240	1984	tgytutrc7331.exe	36
PID 1984 wrote to memory of 1240	1984	tgytutrc7331.exe	36
PID 1984 wrote to memory of 2016	1984	tgytutrc7331.exe	34
PID 1984 wrote to memory of 2016	1984	tgytutrc7331.exe	34
PID 1984 wrote to memory of 2016	1984	tgytutrc7331.exe	34
PID 1984 wrote to memory of 2016	1984	tgytutrc7331.exe	34
PID 1984 wrote to memory of 1776	1984	tgytutrc7331.exe	32
PID 1984 wrote to memory of 1776	1984	tgytutrc7331.exe	32
PID 1984 wrote to memory of 1776	1984	tgytutrc7331.exe	32
PID 1984 wrote to memory of 1776	1984	tgytutrc7331.exe	32
PID 1776 wrote to memory of 1604	1776	net.exe	43
PID 1776 wrote to memory of 1604	1776	net.exe	43
PID 1776 wrote to memory of 1604	1776	net.exe	43
PID 1984 wrote to memory of 1740	1984	tgytutrc7331.exe	44
PID 1984 wrote to memory of 1740	1984	tgytutrc7331.exe	44
PID 1984 wrote to memory of 1740	1984	tgytutrc7331.exe	44
PID 1984 wrote to memory of 1740	1984	tgytutrc7331.exe	44
PID 1740 wrote to memory of 624	1740	net.exe	46
PID 1740 wrote to memory of 624	1740	net.exe	46
PID 1740 wrote to memory of 624	1740	net.exe	46
PID 1984 wrote to memory of 1524	1984	tgytutrc7331.exe	47
PID 1984 wrote to memory of 1524	1984	tgytutrc7331.exe	47
PID 1984 wrote to memory of 1524	1984	tgytutrc7331.exe	47
PID 1984 wrote to memory of 1524	1984	tgytutrc7331.exe	47
PID 1984 wrote to memory of 1512	1984	tgytutrc7331.exe	49
PID 1984 wrote to memory of 1512	1984	tgytutrc7331.exe	49
PID 1984 wrote to memory of 1512	1984	tgytutrc7331.exe	49
PID 1984 wrote to memory of 1512	1984	tgytutrc7331.exe	49
PID 1984 wrote to memory of 1808	1984	tgytutrc7331.exe	48
PID 1984 wrote to memory of 1808	1984	tgytutrc7331.exe	48
PID 1984 wrote to memory of 1808	1984	tgytutrc7331.exe	48
PID 1984 wrote to memory of 1808	1984	tgytutrc7331.exe	48
PID 1984 wrote to memory of 1804	1984	tgytutrc7331.exe	51
PID 1984 wrote to memory of 1804	1984	tgytutrc7331.exe	51
PID 1984 wrote to memory of 1804	1984	tgytutrc7331.exe	51
PID 1984 wrote to memory of 1804	1984	tgytutrc7331.exe	51
PID 1984 wrote to memory of 1836	1984	tgytutrc7331.exe	52
PID 1984 wrote to memory of 1836	1984	tgytutrc7331.exe	52
PID 1984 wrote to memory of 1836	1984	tgytutrc7331.exe	52
PID 1984 wrote to memory of 1836	1984	tgytutrc7331.exe	52
PID 1984 wrote to memory of 1072	1984	tgytutrc7331.exe	53
PID 1984 wrote to memory of 1072	1984	tgytutrc7331.exe	53

C:\Users\Admin\AppData\Local\Temp\LockerGoga.exe
"C:\Users\Admin\AppData\Local\Temp\LockerGoga.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\LockerGoga.exe C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:836
- C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
  C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -m
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\system32\net.exe
    C:\Windows\system32\net.exe user Admin HuHuHUHoHo283283@dJD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin HuHuHUHoHo283283@dJD
      4⤵
      PID:1604
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:2016
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:1240
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:1708
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:1376
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:1700
- - C:\Windows\system32\net.exe
    C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD
      4⤵
      PID:624
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1752
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1776
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1740
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:380
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1624
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:524
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1244
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:700
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1996
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1688
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1428
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1376
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1324
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:552
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:468
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:576
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Modifies extensions of user files
    PID:1872
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1628
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:888
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1648
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1788
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1568
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Modifies extensions of user files
    PID:300
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1804
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1388
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1280
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1756
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1144
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1324
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:560
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1664
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1600
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:828
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:428
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1412
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1604
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1068
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1628
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:748
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:2036
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1244
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:588
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:572
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1596
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1604
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1620
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:544
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1648
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:2036
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1612
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1408
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1684
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:840
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:996
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1916
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1228
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1828
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:268
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:520
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1112
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1740
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1628
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    PID:888
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1976
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1400
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1580
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:2000
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:964
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1332
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    PID:1104
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    PID:1700
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1788
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1428
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1388
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:268
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    PID:520
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1112
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1740
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1628
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:896
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1976
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1400
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1580
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:2000
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1860
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1920
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:468
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1708
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1556
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1500
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1228
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    PID:1428
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:268
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1872
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1524
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    PID:1112
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:624
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1488
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2008
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1252
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1416
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1852
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1912
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1580
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    PID:2000
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1860
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1412
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1916
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1492
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1376
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1828
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1560
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1388
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:428
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1432
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1208
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1604
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1444
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1624
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1648
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1612
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1976
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1400
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1856
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:996
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1264
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    PID:1332
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:956
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1492
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1376
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1828
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1988
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:828
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1488
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1648
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1252
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1212
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1684
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:800
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1164
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1268
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1920
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:468
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    PID:1788
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1244
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:928
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1560
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1388
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:544
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1444
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1740
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1496
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1812
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1488
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1648
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1252
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1912
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1856
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:996
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1104
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1708
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:956
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1556
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1788
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1228
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1428
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1796
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:2028
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:572
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1800
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1596
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:520
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:544
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1312
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1868
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1772
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1432
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1628
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:380
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1588
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1976
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1684
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1580
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2000
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1860
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1332
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1500
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1544
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1280
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1504
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1452
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:688
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:828
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:572
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1872
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1396
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1848
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1444
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1824
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1820
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1116
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:2008
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1588
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1976
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1684
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1580
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1268
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:700
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1568
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1104
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1708
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1416
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1492
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1376
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1828
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1988
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:892
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1992
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:268
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1208
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1604
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1764
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:632
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1848
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1880
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1868
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:896
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1016
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1408
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1852
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1464
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:840
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:948
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:996
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1860
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1332
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1500
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1544
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1280
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1504
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1452
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:2028
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:428
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1800
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1596
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:520
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1804
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:624
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1496
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1524
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1812
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1488
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1648
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1548
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:800
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1164
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1808
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:2000
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1380
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1724
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1472
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1412
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1708
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1924
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1244
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:928
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:688
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:828
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:572
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1872
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1396
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7331.exe -i SM-tgytutrc -s
    3⤵
    PID:1704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1208 -s 1964
1⤵
- Program crash
PID:1700
- C:\Windows\Explorer.EXE
  "C:\Windows\Explorer.EXE"
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:556

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x594
1⤵
PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{1BDE2BEC-F8BB-49A7-86A6-70583750B264}.2.ver0x0000000000000002.db.locked

Filesize
1KB

MD5
04f5bf7139d7a675fef2277c194206cc

SHA1
2efce47c4ae8f03b4c004c8f58960ab0aac0229f

SHA256
4f506eb88c90b092492b7cbad663803e0306ca86cc5515858201597c2929fd3a

SHA512
51c43fd0e4743b41eac49b56ca2efcb749c13590437807aeb22adc7a772ba5fbbb0acc0d51274d23306881826620b913132f9feca05ce6891c62f6783357483b

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{D1D257AF-19CA-4490-9CF5-94E5FE5A38B0}.2.ver0x0000000000000001.db.locked

Filesize
2KB

MD5
582aec85a137f7e7da20a1b6c4a1e0d2

SHA1
486d10da5e3e1b4d4564208b66260a4f90acc2d7

SHA256
68c8925a3f8e999c7ac3e8ec39495b8815c3da01e41d8cb8b916cb2b68a1e20a

SHA512
d3eef0e74bf037d3175e3a9d6ebdbb25ded55bd6c00c21339aa69696f7913bf45602828d02f5f1cf153c2c7246bf47c8e489fc8d28e0a06920569c907e732bc2

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.locked

Filesize
405KB

MD5
8c41a887b8c9d66af47a2103a122e6d9

SHA1
b42a0a543909549ec05bd97d8987b15d29329d0f

SHA256
fe6f97b3ea948d31666a90628ffdad71ac61969131cabf448fee75b2b1d71de0

SHA512
7302c1a3324000f32212be58c46b9bb3cdb4c589078c308444703a4239b9828c2b42ec5d296db4145915d554291b5e56eb44563bac7d62b45ac299c4dce203c7

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{F2A1DD42-DF69-40B5-9914-4E6E1C4FC7FA}.2.ver0x0000000000000001.db.locked

Filesize
1KB

MD5
3aea3c989d2586b8c4ebdd955ed49cf2

SHA1
722525d0e197e49f55f3e7b972fd9695de0c8369

SHA256
5b6ea829039e313ff7c0215490822eddd8efec8acaa782be7c6730e35a3dc618

SHA512
8dfdde44ff1400ed8434eabb5c3b747db8b5b2f66fed240c16f2712e03de0d7abde4d8d9e7e787b70dd1cb526c97ba017d69e2ad0df7a7130f3bfc88e9a6bb74

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
memory/556-240-0x000007FEFB841000-0x000007FEFB843000-memory.dmp

Filesize
8KB

Download
memory/968-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download