hive | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

max time kernel
1687s
max time network
1703s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2022 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/Hive_17_07_2021_808KB.exe
Size

808KB
MD5

504bd1695de326bc533fde29b8a69319
SHA1

67f0c8d81aefcfc5943b31d695972194ac15e9f2
SHA256

a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749
SHA512

18c5b28bafb13edf47f6a2b803d9d9a914945f037b266a765f2a324842c5ef04ebda27eba31851d2d63e00779a42900e0edfe4ad5bd817eb4f43fa4d4e3a4767
SSDEEP

24576:lafTGwLNdRk4RBtr/ioF4/I+CMx3cMt3/4KFG8Qz4YwY:IT7dRFr/ioFjicMtvV4z

Score

10^/10

hive persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were downloaded and encrypted. To decrypt all the data or to prevent it from leakage at our website and in mass media you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: YHPvB2jr2wVr Password: XCa9f3xkQEGvXRegAz6o Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.` + config.Extension + ` files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

URLs

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

Signatures

Detects Go variant of Hive Ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral11/memory/4652-133-0x0000000000210000-0x00000000004E9000-memory.dmp	hive_go
behavioral11/memory/4652-204-0x0000000000210000-0x00000000004E9000-memory.dmp	hive_go

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Drivers directory 25 IoCs

Processes:

Hive_17_07_2021_808KB.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\es-ES\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\etc\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\it-IT\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\de-DE\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\en-US\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\ja-JP\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\DriverData\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\UMDF\it-IT\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\UMDF\es-ES\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\UMDF\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\drivers\fr-FR\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Hive_17_07_2021_808KB.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\CopyImport.tif.jyHSBdxMlIpZX6RkIOR1JzNA6EsCFhEJ7a62Aqumbzg.hive	Hive_17_07_2021_808KB.exe
File renamed	C:\Users\Admin\Pictures\WaitPush.raw => C:\Users\Admin\Pictures\WaitPush.raw.jyHSBdxMlIpZX6RkIOR1J5Hkc8zBinUNxNUPDLPRYEI.hive	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\Pictures\WaitPush.raw.jyHSBdxMlIpZX6RkIOR1J5Hkc8zBinUNxNUPDLPRYEI.hive	Hive_17_07_2021_808KB.exe
File renamed	C:\Users\Admin\Pictures\CopyImport.tif => C:\Users\Admin\Pictures\CopyImport.tif.jyHSBdxMlIpZX6RkIOR1JzNA6EsCFhEJ7a62Aqumbzg.hive	Hive_17_07_2021_808KB.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral11/memory/4652-132-0x0000000000210000-0x00000000004E9000-memory.dmp	upx
behavioral11/memory/4652-133-0x0000000000210000-0x00000000004E9000-memory.dmp	upx
behavioral11/memory/4652-204-0x0000000000210000-0x00000000004E9000-memory.dmp	upx

Drops startup file 4 IoCs

Processes:

Hive_17_07_2021_808KB.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.jyHSBdxMlIpZX6RkIOR1J6pxNMOcVKVuPNiFaVXXKC8.hive	Hive_17_07_2021_808KB.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Hive_17_07_2021_808KB.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

3044
3044
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3044
3044

Drops desktop.ini file(s) 64 IoCs

Processes:

Hive_17_07_2021_808KB.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Public\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Hive_17_07_2021_808KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Hive_17_07_2021_808KB.exe

Drops file in System32 directory 64 IoCs

Processes:

Hive_17_07_2021_808KB.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Configuration\Registration\MSFT_FileDirectoryConfiguration\en-US\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0011\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DiagSvcs\fr-FR\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmusrg.inf_amd64_bb7c44c7bb3664d0\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\PointOfService\ProtocolProviders\es-ES\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\config\systemprofile\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\en-US\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_barcodescanner.inf_amd64_266a07997c075b30\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\Speech\SpeechUX\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Dism\de\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\migration\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\ja\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\fr\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\it-IT\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netlldp.inf_amd64_fbd4bbbad72f0e6b\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\Data Integrity Scan\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\es-ES\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001a\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\Speech\Engines\SR\es-ES\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_scmvolume.inf_amd64_de693592afe8a496\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpgm.inf_amd64_e099e4a7092b374c\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\PerceptionSimulation\de-DE\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\de\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\it-IT\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\Configuration\Schema\MSFT_FileDirectoryConfiguration\it-IT\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\InputMethod\CHS\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\migwiz\replacementmanifests\microsoft-windows-shmig\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\CodeIntegrity\CiPolicies\Staged\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Appx\en-US\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\Configuration\ConfigurationStatus\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_sas3i.inf_amd64_79c7a4d8be0a9744\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl008.inf_amd64_c0d977e565fdc839\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wdmvsc.inf_amd64_8666ee4da6ad6325\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\ja-JP\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\spp\tokens\skus\ProfessionalSingleLanguage\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DriverStore\FileRepository\umpass.inf_amd64_3daa9a904daf9501\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj3.inf_amd64_9658f2eb83f061c9\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\IME\SHARED\res\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\VoiceActivation\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\it-IT\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\it-IT\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\es-ES\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\ja\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\fr-FR\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_camera.inf_amd64_7b52a9607d24ece6\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netdriver.inf_amd64_2d569d832b41b8df\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmti.inf_amd64_bcde2913bb6ccf3d\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\FileHistory\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\ja-jp\Licenses\OEM\Professional\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_mcx.inf_amd64_fcbcc3807cbf63ec\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\Device Setup\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\USB\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\spp\tokens\issuance\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\de-DE\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Engines\TTS\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe

Drops file in Program Files directory 64 IoCs

Processes:

Hive_17_07_2021_808KB.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\GLTFTextTemplate.json	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\ui-strings.js	Hive_17_07_2021_808KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\libGLESv2.dll	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\NoConnection.scale-200.png	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\net.dll.jyHSBdxMlIpZX6RkIOR1JyNBQcls7wwPJqWtKhEB1UQ.hive	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-100.png	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-100.png	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-30_altform-unplated_contrast-high.png	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-heap-l1-1-0.dll.jyHSBdxMlIpZX6RkIOR1JxMezN7t9PpbFRuMwvgDAG4.hive	Hive_17_07_2021_808KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\ui-strings.js	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\home-selector.css.jyHSBdxMlIpZX6RkIOR1J_BG0wnlGbATAK1cQyqXAiY.hive	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-heap-l1-1-0.dll	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-32_contrast-black.png	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms.jyHSBdxMlIpZX6RkIOR1JzuV0AdOhuAcw4LlDSc_Akw.hive	Hive_17_07_2021_808KB.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\MSFT_PackageManagement.strings.psd1	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll.jyHSBdxMlIpZX6RkIOR1J3x7mKjdhFxAxKgYCTH0ChQ.hive	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\WordCapabilities.json	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar.jyHSBdxMlIpZX6RkIOR1J8QYs8qH5F8vIn3q25UwvEk.hive	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedge.exe.jyHSBdxMlIpZX6RkIOR1J_yQvjBzHrd1uBk5cltN_zo.hive	Hive_17_07_2021_808KB.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\104.0.1293.47\WidevineCdm\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\resource.dll.jyHSBdxMlIpZX6RkIOR1J4W8LzX9o5pWRjFmcDqHEh0.hive	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\ResizeSearch.midi	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLargeTile.scale-200.png	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-400.png	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-100.png	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\Context.snippets.ps1xml	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdmo_plugin.dll.jyHSBdxMlIpZX6RkIOR1J6MmJ0BDRkQjjixD1Ryd6Rw.hive	Hive_17_07_2021_808KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sendforcomments_18.svg.jyHSBdxMlIpZX6RkIOR1J8bPx_1EZQsMIjsY87jmgQo.hive	Hive_17_07_2021_808KB.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sr-Latn-RS\View3d\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare71x71Logo.scale-100_contrast-white.png	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2891029575-1462575-1165213807-1000-MergedResources-0.pri	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\ui-strings.js	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\GrooveIntlResource.dll.jyHSBdxMlIpZX6RkIOR1JxoMSvE-cQwG6YR11hXXFyg.hive	Hive_17_07_2021_808KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE.jyHSBdxMlIpZX6RkIOR1JyBPnEijb55MS0I2p_2Rs3I.hive	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\th_get.svg	Hive_17_07_2021_808KB.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\he-il\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\Windows Portable Devices\sqmapi.dll	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-400.png	Hive_17_07_2021_808KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reject_18.svg.jyHSBdxMlIpZX6RkIOR1J9MT0TVGOxIVHVSaDz84RGo.hive	Hive_17_07_2021_808KB.exe

Drops file in Windows directory 64 IoCs

Processes:

Hive_17_07_2021_808KB.exe

description	ioc	process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\c4e350255dfdcb7457109e297b572b31\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mapi.resources_31bf3856ad364e35_10.0.19041.1_it-it_6d16f6df53c09e3e\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..lers-assignedaccess_31bf3856ad364e35_10.0.19041.844_none_685e75c3526a8f72\f\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack-msg_31bf3856ad364e35_10.0.19041.1_none_f4907776ca64ee01\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..nt-extupdatesupport_31bf3856ad364e35_10.0.19041.1288_none_a2ab1a53a8015ca0\f\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_system.runtime.seri..ion.formatters.soap_b03f5f7f11d50a3a_4.0.15805.0_none_a3187ab90ef96584\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wlanutil.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c6c3eff4778a50d6\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-w..omponents.resources_31bf3856ad364e35_10.0.19041.1_de-de_05e628f2425e0e3d\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Routing\v4.0_4.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_10.0.19041.1_es-es_1fe7defa935741c8\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_436a0ea20244775e\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..n-desktop.resources_31bf3856ad364e35_10.0.19041.1_es-es_efa602ea761a79e2\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.19041.1_en-us_c75e61f00b6f9cc9\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wmi-core-framedyn-dll_31bf3856ad364e35_10.0.19041.1_none_ed3038778f56ec0b\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\INF\rdyboost\0C0A\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\XsdBuildTask\v4.0_4.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-netevent.resources_31bf3856ad364e35_10.0.19041.1_es-es_3844e7b65b1bcfb0\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-pnpibs_31bf3856ad364e35_10.0.19041.572_none_1fcf5277cadc6026\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_percsas3i.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_2bfb26d4b8d6e599\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_system.configuration.install.resources_b03f5f7f11d50a3a_4.0.15805.0_it-it_4aca3e168d48e7f7\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ropertiesprotection_31bf3856ad364e35_10.0.19041.1_none_23f80ea3f041fc17\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-tokenbroker_31bf3856ad364e35_10.0.19041.264_none_8be8c2693dde2cd4\r\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_dual_ntprint4.inf_31bf3856ad364e35_10.0.19041.746_none_284758abe10778d6\r\Amd64\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..ectortool.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_ce3554a78295c6fb\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..-protocol-host-peer_31bf3856ad364e35_10.0.19041.1266_none_d8d95eb2789b7e94\r\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..epassword.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5996a1100d25e4d1\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_sr-..-rs_b2c524b47939e030\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_windows-defender-events.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3b67e736673432fd\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..licymaker.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_bc35a3458dd5307c\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb#\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-directshow-other_31bf3856ad364e35_10.0.19041.746_none_f59f7d1873ea96d3\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_hidserv.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_33393cacf6096fb6\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..y-mdmcommon-onecore_31bf3856ad364e35_10.0.19041.746_none_b9ad1f8b13fd3844\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_10.0.19041.1_en-us_1a2bd483e31bef4d\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rundll32.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_318cd87af60841ec\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-snmp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_59f3392933473388\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ry-client.resources_31bf3856ad364e35_10.0.19041.1_it-it_086c0f8cac01d281\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devices-usb-winrt_31bf3856ad364e35_10.0.19041.746_none_5bb989aed3172891\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\x86_installutil_b03f5f7f11d50a3a_10.0.19041.1_none_3c6036d4b220f210\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_dual_c_1394.inf_31bf3856ad364e35_10.0.19041.1_none_6118cd98bdc15ff6\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_dual_ialpss2i_i2c_cnl.inf_31bf3856ad364e35_10.0.19041.1_none_e1395f58f605b89f\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-identitylistener_31bf3856ad364e35_10.0.19041.746_none_5775da15bab2bf7e\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-directx-rgbrast_31bf3856ad364e35_10.0.19041.1_none_2a49305896d76af4\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..tformkeystorage-dll_31bf3856ad364e35_10.0.19041.1237_none_3aea6e005e0f18b4\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..fcounters.resources_31bf3856ad364e35_10.0.19041.1_de-de_3170a3f58c8b129c\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_product-onecore__mi..fp_ag.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_b0a77e0a92b7071d\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-a..sourcepolicy-client_31bf3856ad364e35_10.0.19041.546_none_e319a13e33d21f29\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-protectedstorage_31bf3856ad364e35_10.0.19041.1_none_088ecc70041d0d1a\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\wow64_microsoft.tpm.commands.resources_31bf3856ad364e35_10.0.19041.1_it-it_b63afbea2a07cd46\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-xwizards_31bf3856ad364e35_10.0.19041.746_none_6075ff4ed207cf16\f\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fontview.resources_31bf3856ad364e35_10.0.19041.1_en-us_89fd25c62d2f55b6\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ing-shell-extension_31bf3856ad364e35_10.0.19041.546_none_e87b1e248312d04d\f\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-web-app-host-ext_31bf3856ad364e35_10.0.19041.1_none_1da5024be9c69660\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_netwlv64.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_7978e0a7aa6d68b1\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_wvms_vspp.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_a5be08da7fac07e2\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\msil_system.configuration.install_b03f5f7f11d50a3a_10.0.19041.1_none_4ca9f49909a66cbc\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon_31bf3856ad364e35_10.0.19041.264_none_be3893cb65ecff6c\f\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-a..ecore-onecore-other_31bf3856ad364e35_10.0.19041.488_none_8dd57691266afe00\r\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-deviceflows-datamodel_31bf3856ad364e35_10.0.19041.906_none_f9e06dde35eb611f\r\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_hyperv-computelib-core_31bf3856ad364e35_10.0.19041.1266_none_1d9f9e38bb8f2bbd\r\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-userdataaccess-poom_31bf3856ad364e35_10.0.19041.746_none_dbcfe9f4816f51e1\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\3082\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_10.0.19041.1023_it-it_ec78adf2ef3d4269\r\HOW_TO_DECRYPT.txt	Hive_17_07_2021_808KB.exe

Program crash 2 IoCs

Processes:

pid pid_target process target process

4524 3044
1848 1396

pid	pid_target	process	target process
4524	3044
1848	1396

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1912
444
4260
5028
4224
4968
512
2884
4560
4632
1180
2064
2788
4860
3276
4328
1364
5012
3192
4968
3872
4680
2772
3532
532	timeout.exe
3504	timeout.exe
3712
4260
1164
4580
4776
3564
1288
4780	timeout.exe
3104	timeout.exe
3996
4304
1800
1456
2896
4636
1708	timeout.exe
3528
1936
1116
2408
516
3492
3708
4356
2360
4828
5064
3484
536
4624
868
4768
4336
2280	timeout.exe
3268
3000
1300
4388

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2376 vssadmin.exe

pid	process
2376	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2891029575-1462575-1165213807-1000\{2A4D9479-9538-4F5F-9586-532562824206}

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Hive_17_07_2021_808KB.exe

pid process

4652 Hive_17_07_2021_808KB.exe
4652 Hive_17_07_2021_808KB.exe

pid	process
4652	Hive_17_07_2021_808KB.exe
4652	Hive_17_07_2021_808KB.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2068	vssvc.exe
Token: SeRestorePrivilege	2068	vssvc.exe
Token: SeAuditPrivilege	2068	vssvc.exe
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeCreatePagefilePrivilege	1396

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

pid process

1396
1396
1396
1396
1396
1396
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

pid process

1396
1396
1396
1396
1396
1396
1396
1396

pid	process
1396
1396
1396
1396
1396
1396

pid	process
1396
1396
1396
1396
1396
1396
1396
1396

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Hive_17_07_2021_808KB.execmd.execmd.exe

description	pid	process	target process
PID 4652 wrote to memory of 4296	4652	Hive_17_07_2021_808KB.exe	cmd.exe
PID 4652 wrote to memory of 4296	4652	Hive_17_07_2021_808KB.exe	cmd.exe
PID 4652 wrote to memory of 4204	4652	Hive_17_07_2021_808KB.exe	cmd.exe
PID 4652 wrote to memory of 4204	4652	Hive_17_07_2021_808KB.exe	cmd.exe
PID 4204 wrote to memory of 2376	4204	cmd.exe	vssadmin.exe
PID 4204 wrote to memory of 2376	4204	cmd.exe	vssadmin.exe
PID 4296 wrote to memory of 1932	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 1932	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4208	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4208	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 220	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 220	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4040	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4040	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4840	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4840	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4020	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4020	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2892	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2892	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 1772	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 1772	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2272	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2272	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2452	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2452	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 5084	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 5084	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2756	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2756	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2244	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2244	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4524	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4524	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 1640	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 1640	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2280	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2280	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 3340	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 3340	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4532	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4532	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 1808	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 1808	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4572	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4572	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4368	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4368	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2088	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2088	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4264	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 4264	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2628	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2628	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 624	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 624	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2400	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2400	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 868	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 868	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2276	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2276	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 3332	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 3332	4296	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1932
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4208
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:220
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4040
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4840
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4020
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2892
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1772
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2272
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2452
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5084
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2756
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2244
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4524
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1640
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2280
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3340
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4532
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1808
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4572
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4368
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2088
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4264
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2628
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:624
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2400
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:868
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2276
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3332
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4436
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4420
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4624
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:448
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3652
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2888
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1548
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3212
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2972
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4176
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4768
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:812
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4492
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1556
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4464
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4604
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3932
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4684
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4276
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:532
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1456
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2324
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3144
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5048
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2212
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1756
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3504
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3016
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4772
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2600
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1480
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2360
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5036
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4920
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1600
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3040
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4220
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1996
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1064
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:404
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1404
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4028
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:872
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3544
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3800
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4868
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4876
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3940
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4080
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4964
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2316
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3988
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4344
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3276
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1592
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1940
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3372
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3948
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:220
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4460
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4272
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3376
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4020
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4608
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2744
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3552
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2272
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2024
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2792
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3480
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2772
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2244
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1188
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1320
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4144
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3340
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3796
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3172
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4172
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4572
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4368
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2808
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:272
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:288
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4544
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1584
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3440
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2084
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3712
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2388
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2412
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2400
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2492
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1088
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1008
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2436
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4436
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4616
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3092
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2840
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:448
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3328
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3532
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3100
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2040
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3212
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4232
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3820
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1820
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3776
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:812
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5012
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3616
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1868
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3272
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4604
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4560
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4780
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:808
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1896
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:532
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1848
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4756
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2640
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4340
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5048
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1704
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1984
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1348
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2248
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3016
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3492
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2896
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1364
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2184
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1860
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2072
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4112
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2820
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4136
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2308
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4400
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2876
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:844
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:760
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3004
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5040
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1292
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4072
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3740
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3956
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3964
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4948
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1180
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2676
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1300
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3936
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4248
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1924
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4224
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4208
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4036
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:212
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4040
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4452
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1724
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4600
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3028
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2064
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1644
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2568
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2572
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5084
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2756
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4384
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4972
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3872
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4408
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1640
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5076
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2344
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4836
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2868
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3172
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4172
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4572
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4368
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2808
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:272
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1372
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4304
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1708
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:744
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3020
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:624
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2760
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3036
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3368
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4952
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:868
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2276
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1016
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3256
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4612
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4420
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3092
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2840
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:448
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3328
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1548
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3100
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1340
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4812
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1208
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2972
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4176
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4768
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4816
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3068
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:812
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5012
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3616
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1868
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3272
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4604
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4560
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4780
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2616
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3640
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5052
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1116
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2324
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2264
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2768
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2220
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5028
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1756
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3504
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2284
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4748
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3464
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2896
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1364
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2360
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5036
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2764
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2096
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2820
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1244
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4396
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1064
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:404
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4092
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4888
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:872
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4580
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4160
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4016
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1484
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3268
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2256
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3972
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4860
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4288
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1288
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4236
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3528
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3936
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4248
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1924
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1692
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3948
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4740
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4024
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4460
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4272
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3376
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4488
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1772
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1152
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2780
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2076
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2452
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2776
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5004
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4704
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5104
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2320
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4660
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1320
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4144
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4632
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3796
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1808
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3540
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1960
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1156
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:268
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:284
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1588
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4448
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4988
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2384
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2084
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3712
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3524
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1624
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3000
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2400
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4528
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:868
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2276
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1016
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3256
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4612
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4420
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3092
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2840
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:448
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3328
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3532
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:512
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2040
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3212
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1208
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2972
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4176
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1120
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3580
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2328
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4536
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4464
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3408
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1800
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3124
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4456
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3804
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4276
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:808
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2232
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3232
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2236
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2304
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1596
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3468
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1396
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5048
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1704
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3380
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1348
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2248
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3016
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2836
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1480
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1236
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1364
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2360
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5036
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2764
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2096
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2820
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1244
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4396
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1064
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:404
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4092
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4888
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:872
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4580
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4160
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3800
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4868
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4876
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3960
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4080
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4964
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2316
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3988
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1356
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2828
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1768
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4832
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3636
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:208
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:224
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:212
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1164
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4452
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4596
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2892
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3028
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2064
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3968
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2568
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2024
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5084
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2756
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2772
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4972
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4520
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2280
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3180
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5076
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:396
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:980
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2868
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1920
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4172
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2088
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:280
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:296
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:272
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1584
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4304
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3120
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2388
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3008
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3000
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2400
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4528
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:868
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2276
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1016
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3256
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4612
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4004
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1864
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1296
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3364
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3100
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4360
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2216
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4300
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2448
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1820
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4168
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1556
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5012
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:456
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1136
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3320
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1040
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4604
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4560
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4780
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3352
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:808
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2232
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3232
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2236
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2304
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1596
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3500
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2212
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2224
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5028
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2916
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5108
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4376
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4748
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4788
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2600
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2156
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1860
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2072
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4920
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4320
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1916
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4444
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4400
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2876
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4372
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4996
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4540
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1912
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1292
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:432
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4016
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1484
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3268
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4968
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2424
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4860
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4288
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2676
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4344
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3276
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3604
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1932
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3756
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3372
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:220
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4740
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4040
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3452
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2008
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1724
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2892
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4608
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2744
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3552
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2272
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2788
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5088
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3480
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3840
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2244
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3872
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4408
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1640
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3224
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:396
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4836
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1780
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3608
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1948
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:264
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:276
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:292
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2376
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2704
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4264
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3908
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4472
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1088
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4644
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2436
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3104
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4624
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:380
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3092
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2840
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:448
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3328
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3532
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:512
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3212
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4800
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:812
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3592
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1136
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2312
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4456
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1040
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4956
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1896
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:532
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2884
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2640
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3944
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4340
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4032
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2220
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5064
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1756
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3600
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4772
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4496
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3492
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2896
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2184
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2464
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5024
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4112
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1600
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4136
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4220
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2308
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4444
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1404
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:760
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4092
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5040
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:872
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4580
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4504
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3800
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4868
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4876
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3964
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4080
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4860
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2676
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4344
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1940
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3276
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1932
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3756
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4840
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3372
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4740
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4040
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4480
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2008
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2460
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4596
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4608
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2064
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3968
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2568
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2024
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4384
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5044
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2772
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2244
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4520
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4408
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3180
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3224
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5076
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:980
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2868
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1960
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1156
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:268
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:284
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1588
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4448
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:516
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2388
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3000
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2492
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4528
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:444
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4640
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2200
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3084
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4420
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4004
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3652
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4552
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4744
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3100
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2040
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1208
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2448
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5012
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4348
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1800
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3124
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4604
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2000
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1456
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5052
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3176
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2640
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3944
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4340
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4032
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2512
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2220
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1756
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3600
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3464
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4772
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3492
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2600
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2896
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2464
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5024
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4112
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1600
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4136
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4220
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2308
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4444
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1404
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:760
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4092
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4540
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1292
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4892
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:432
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2256
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3268
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5000
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2424
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4948
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1300
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3528
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3936
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2828
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4208
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1692
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1532
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:100
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4328
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4024
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4480
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1952
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3028
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2056
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2572
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2792
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:864
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5004
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4704
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3480
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2280
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4144
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4632
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3796
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1808
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3172
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2356
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4572
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4368
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2808
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:296
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1372
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4304
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2704
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4952
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2400
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1008
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:868
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2276
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1016
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3256
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4612
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2432
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1864
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2840
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:448
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3328
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:948
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4360
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4232
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2976
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:632
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3408
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3272
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1408
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4684
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1896
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2000
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1456
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5052
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3176
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2640
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3944
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4340
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3500
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1984
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5028
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3380
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5108
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2248
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4376
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4788
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1480
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4280
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1860
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2360
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2072
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2820
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3680
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1064
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4996
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3004
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:372
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5040
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:872
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4580
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4504
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3800
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4868
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4876
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1288
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4080
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3988
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2676
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4344
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1940
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3276
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1932
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3756
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4840
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3372
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4740
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4488
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2460
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4596
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4944
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2892
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2064
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3968
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2272
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4828
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5004
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4704
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3480
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4000
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4408
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3180
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1640
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3892
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4836
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1920
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4172
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2088
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2808
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:276
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1372
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1584
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3120
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2136
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2204
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1008
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4284
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:444
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4616
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1648
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2832
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1552
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3092
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1548
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1836
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4992
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:948
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4360
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4232
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2976
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1868
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:456
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1136
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1332
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4456
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3352
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:532
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2884
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2208
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1928
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2264
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2768
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4340
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2512
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2220
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1756
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3600
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3464
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4772
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3492
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2600
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2896
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2464
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5024
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4112
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3108
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2308
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4444
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1404
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4888
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1912
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5100
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1292
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4892
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:432
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2256
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3268
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4808
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3964
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1192
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4860
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2004
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3604
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4248
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1924
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4036
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:220
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:224
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4412
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1164
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4600
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1772
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1644
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4900
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2056
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2452
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2792
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:864
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5084
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2756
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5104
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3340
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4520
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3812
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3224
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:396
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:980
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1780
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2356
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4276
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1156
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:264
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:284
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:292
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4448
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4304
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2388
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3000
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4472
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4528
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4436
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4640
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3104
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4624
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4612
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2432
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1864
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2840
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4744
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3328
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2216
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1208
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4568
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5012
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3592
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1800
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3124
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4604
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3640
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1896
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3144
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2324
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2304
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1496
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3468
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1396
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3500
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1704
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3504
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1348
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2140
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4748
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4164
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4788
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1480
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2156
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:60
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4920
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2072
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4220
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2876
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:404
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:364
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:760
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4092
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1764
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4636
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4016
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1484
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3740
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3956
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4968
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4288
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2316
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4236
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1356
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1592
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1768
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4832
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3636
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3948
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:208
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3372
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4460
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3452
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1724
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3028
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4944
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2780
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2076
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3552
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2272
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2788
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5004
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:5044
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4452
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3872
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4520
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3812
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:3224
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:396
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:980
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1780
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:2356
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:4276
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:1156
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    PID:264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\desktop.ini

Filesize
129B

MD5
62992f53176260b66ad8725cb13ffc71

SHA1
7789e19894be8663d24f4a06c7ef768f16b621a5

SHA256
eef5a936c30107132579d3f15cb565eb64d79fe56d92c5b89267de4f4f43b0c3

SHA512
793e6a13ab7581c3c8b74e46c78be4dab1a75b09a2327594970e1048a4c803f527fe1184367a1fc6a61ced9be3a51580de71f2c6cf0201583710b90008da443e

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
1.7MB

MD5
c606bd7c9c733dd27f74157c34e51742

SHA1
aab92689723449fbc3e123fb614dd536a74b74d4

SHA256
606390649012b31b5d83630f1186562e4b1ce4023d8870d8c29eb62e7e0769e0

SHA512
5f8fabe3d9753413d1aedcc76b9568c50dd25a5a6aeacd1ce88aecc28c0ba96dac80177679d380708213a0997946e49383bdaca7114c8c9526a24ed999194e38

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.jyHSBdxMlIpZX6RkIOR1J_sEcNlI7Bh-77zslchk1Xo.hive

Filesize
622KB

MD5
8c21e7a82041700d570ad128ac752e2c

SHA1
1a02d483ca9b1c005d37b4b6e5566f9183a628cf

SHA256
ecf62eb0fa98bfda6b8cbd17a61fed612bb56077abbb5c001c86eaeaae647209

SHA512
8f070c20acb9c74912ce16013a294563a2bb123990c022d2c4a8ad1151250759ea759ced2194d0b22a7ab7dc1526464468c95684e82de5a07a202049b7319d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\hive.bat

Filesize
232B

MD5
6358d970c3edccb57eae7dbf9f42d58f

SHA1
25b994c3b5604f4f67e1ac6250bc2f14ce690380

SHA256
9e36401051e677f69a82ab8fbdebd6b16210ee40612c8c7fa45ceb5d7757fe50

SHA512
44819fec7e90b903eece750d0a2de531520ed9e637e17e4a57786f9a61c6d4b95ff6072fc3530a9d35d8dc756bcfe20f80a6a07a72d35cf24b305053ae389131

Download Submit
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\shadow.bat

Filesize
57B

MD5
df5552357692e0cba5e69f8fbf06abb6

SHA1
4714f1e6bb75a80a8faf69434726d176b70d7bd8

SHA256
d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8

SHA512
a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

Download Submit
memory/220-142-0x0000000000000000-mapping.dmp

Download
memory/448-172-0x0000000000000000-mapping.dmp

Download
memory/532-188-0x0000000000000000-mapping.dmp

Download
memory/624-164-0x0000000000000000-mapping.dmp

Download
memory/812-180-0x0000000000000000-mapping.dmp

Download
memory/868-166-0x0000000000000000-mapping.dmp

Download
memory/1456-189-0x0000000000000000-mapping.dmp

Download
memory/1480-199-0x0000000000000000-mapping.dmp

Download
memory/1548-175-0x0000000000000000-mapping.dmp

Download
memory/1556-182-0x0000000000000000-mapping.dmp

Download
memory/1640-154-0x0000000000000000-mapping.dmp

Download
memory/1756-194-0x0000000000000000-mapping.dmp

Download
memory/1772-147-0x0000000000000000-mapping.dmp

Download
memory/1808-158-0x0000000000000000-mapping.dmp

Download
memory/1932-140-0x0000000000000000-mapping.dmp

Download
memory/2088-161-0x0000000000000000-mapping.dmp

Download
memory/2212-193-0x0000000000000000-mapping.dmp

Download
memory/2244-152-0x0000000000000000-mapping.dmp

Download
memory/2272-148-0x0000000000000000-mapping.dmp

Download
memory/2276-167-0x0000000000000000-mapping.dmp

Download
memory/2280-155-0x0000000000000000-mapping.dmp

Download
memory/2324-190-0x0000000000000000-mapping.dmp

Download
memory/2360-200-0x0000000000000000-mapping.dmp

Download
memory/2376-139-0x0000000000000000-mapping.dmp

Download
memory/2400-165-0x0000000000000000-mapping.dmp

Download
memory/2452-149-0x0000000000000000-mapping.dmp

Download
memory/2600-198-0x0000000000000000-mapping.dmp

Download
memory/2628-163-0x0000000000000000-mapping.dmp

Download
memory/2756-151-0x0000000000000000-mapping.dmp

Download
memory/2888-174-0x0000000000000000-mapping.dmp

Download
memory/2892-146-0x0000000000000000-mapping.dmp

Download
memory/2972-177-0x0000000000000000-mapping.dmp

Download
memory/3016-196-0x0000000000000000-mapping.dmp

Download
memory/3144-191-0x0000000000000000-mapping.dmp

Download
memory/3212-176-0x0000000000000000-mapping.dmp

Download
memory/3332-168-0x0000000000000000-mapping.dmp

Download
memory/3340-156-0x0000000000000000-mapping.dmp

Download
memory/3504-195-0x0000000000000000-mapping.dmp

Download
memory/3652-173-0x0000000000000000-mapping.dmp

Download
memory/3932-185-0x0000000000000000-mapping.dmp

Download
memory/4020-145-0x0000000000000000-mapping.dmp

Download
memory/4040-143-0x0000000000000000-mapping.dmp

Download
memory/4176-178-0x0000000000000000-mapping.dmp

Download
memory/4204-135-0x0000000000000000-mapping.dmp

Download
memory/4208-141-0x0000000000000000-mapping.dmp

Download
memory/4264-162-0x0000000000000000-mapping.dmp

Download
memory/4276-187-0x0000000000000000-mapping.dmp

Download
memory/4296-134-0x0000000000000000-mapping.dmp

Download
memory/4368-160-0x0000000000000000-mapping.dmp

Download
memory/4420-170-0x0000000000000000-mapping.dmp

Download
memory/4436-169-0x0000000000000000-mapping.dmp

Download
memory/4464-183-0x0000000000000000-mapping.dmp

Download
memory/4492-181-0x0000000000000000-mapping.dmp

Download
memory/4524-153-0x0000000000000000-mapping.dmp

Download
memory/4532-157-0x0000000000000000-mapping.dmp

Download
memory/4572-159-0x0000000000000000-mapping.dmp

Download
memory/4604-184-0x0000000000000000-mapping.dmp

Download
memory/4624-171-0x0000000000000000-mapping.dmp

Download
memory/4652-204-0x0000000000210000-0x00000000004E9000-memory.dmp

Filesize
2.8MB

Download
memory/4652-133-0x0000000000210000-0x00000000004E9000-memory.dmp

Filesize
2.8MB

Download
memory/4652-132-0x0000000000210000-0x00000000004E9000-memory.dmp

Filesize
2.8MB

Download
memory/4684-186-0x0000000000000000-mapping.dmp

Download
memory/4768-179-0x0000000000000000-mapping.dmp

Download
memory/4772-197-0x0000000000000000-mapping.dmp

Download
memory/4840-144-0x0000000000000000-mapping.dmp

Download
memory/5048-192-0x0000000000000000-mapping.dmp

Download
memory/5084-150-0x0000000000000000-mapping.dmp

Download