xtremerat | 7ed3c71399fb4b0984ffb527a5877f928a7ede1295edf36f67690e2fe71d3798

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1020457285.exe
Size

421KB
MD5

1f13d71974214e02ba361af8d9558288
SHA1

987c2c52cedb24cf2c094158a2597b9728edbe87
SHA256

b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa
SHA512

d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951
SSDEEP

6144:buIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLDOD6HHVdCcJmOd:C6Wq4aaE6KwyF5L0Y2D1PqLS6nucJvd

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

golij.redirectme.net

tiriberk.ddns.net

nikberkactivi.ddns.net

Signatures

Detect XtremeRAT payload 44 IoCs

resource	yara_rule
behavioral2/memory/4480-138-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4980-139-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/4480-141-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4980-142-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4480-145-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3592-153-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3592-155-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3592-160-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3508-168-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/3508-177-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/224-178-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3136-189-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/224-192-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4408-200-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3136-202-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3636-213-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4408-216-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4032-225-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3636-237-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4032-239-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3772-247-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4172-248-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1144-252-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/4172-262-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3772-271-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3324-273-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1144-275-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1144-281-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4512-286-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3324-299-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3840-300-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4512-311-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3096-319-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2384-320-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2384-323-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3840-322-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3096-333-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4912-334-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4912-347-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2788-355-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2424-356-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2424-368-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4844-375-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3000-376-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 64 IoCs

pid	Process
4444	TOL.exe
3592	TOL.exe
3492	TOL.exe
3500	TOL.exe
224	TOL.exe
3508	TOL.exe
2688	TOL.exe
3136	TOL.exe
4648	TOL.exe
4408	TOL.exe
3000	TOL.exe
3636	TOL.exe
3676	TOL.exe
4032	TOL.exe
4540	TOL.exe
4172	TOL.exe
4916	TOL.exe
3772	TOL.exe
2012	TOL.exe
1144	TOL.exe
1656	TOL.exe
3324	TOL.exe
3012	TOL.exe
4512	TOL.exe
2868	TOL.exe
3840	TOL.exe
1784	TOL.exe
2384	TOL.exe
4400	TOL.exe
3096	TOL.exe
3080	TOL.exe
4912	TOL.exe
4356	TOL.exe
2424	TOL.exe
3440	TOL.exe
2788	TOL.exe
4704	TOL.exe
3000	TOL.exe
4948	TOL.exe
4844	TOL.exe
3948	TOL.exe
1956	TOL.exe
4976	TOL.exe
4668	TOL.exe
3392	TOL.exe
2384	TOL.exe
4948	TOL.exe
3188	TOL.exe
2788	TOL.exe
2860	TOL.exe
4480	TOL.exe
2484	TOL.exe
4844	TOL.exe
4944	TOL.exe
4992	TOL.exe
2196	TOL.exe
1208	TOL.exe
4240	TOL.exe
440	TOL.exe
4948	TOL.exe
4868	TOL.exe
4492	TOL.exe
2424	TOL.exe
4312	TOL.exe

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	1020457285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe restart"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2A2635-T48N-76D8-VB87-81QIM8V1D2G0}	TOL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2400-132-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/memory/4480-134-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2400-136-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/memory/4480-137-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4480-138-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-140.dat	upx
behavioral2/memory/4480-141-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4980-142-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-144.dat	upx
behavioral2/memory/4480-145-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4444-146-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-149.dat	upx
behavioral2/memory/4444-151-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/memory/3592-152-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3592-153-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3592-155-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-157.dat	upx
behavioral2/memory/3592-160-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-159.dat	upx
behavioral2/memory/3492-165-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-163.dat	upx
behavioral2/memory/3500-173-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-170.dat	upx
behavioral2/memory/3508-177-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/224-178-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-180.dat	upx
behavioral2/files/0x0006000000022e45-183.dat	upx
behavioral2/memory/2688-186-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/memory/3136-189-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-191.dat	upx
behavioral2/memory/224-192-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-195.dat	upx
behavioral2/memory/4648-198-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/memory/4408-200-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3136-202-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-204.dat	upx
behavioral2/memory/3000-210-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-207.dat	upx
behavioral2/memory/3636-213-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-215.dat	upx
behavioral2/memory/4408-216-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3676-221-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-219.dat	upx
behavioral2/memory/4032-225-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-227.dat	upx
behavioral2/files/0x0006000000022e45-230.dat	upx
behavioral2/memory/4540-234-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-236.dat	upx
behavioral2/memory/3636-237-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4032-239-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-242.dat	upx
behavioral2/memory/4916-244-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/memory/3772-247-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4172-248-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-251.dat	upx
behavioral2/memory/2012-257-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-254.dat	upx
behavioral2/files/0x0006000000022e45-261.dat	upx
behavioral2/memory/4172-262-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1656-268-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-265.dat	upx
behavioral2/memory/3772-271-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/files/0x0006000000022e45-270.dat	upx
behavioral2/memory/3324-273-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Checks computer location settings 2 TTPs 38 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1020457285.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TOL.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JKO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JKO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JKO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JKO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JKO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JKO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JKO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JKO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JKO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JKO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JKO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JKO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JKO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JKO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TOLI\\TOL.exe"	TOL.exe

AutoIT Executable 24 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2400-136-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/4444-146-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/4444-151-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/3492-165-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/3500-173-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/2688-186-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/4648-198-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/3000-210-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/3676-221-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/4540-234-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/4916-244-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/2012-257-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/1656-268-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/3012-274-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/3012-282-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/2868-294-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/1784-301-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/1784-307-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/4400-316-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/3080-330-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/4356-342-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/3440-353-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/4704-365-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe
behavioral2/memory/4948-372-0x0000000000400000-0x00000000004EA000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2400 set thread context of 4480	2400	1020457285.exe	82
PID 4444 set thread context of 3592	4444	TOL.exe	93
PID 3492 set thread context of 224	3492	TOL.exe	104
PID 3500 set thread context of 3508	3500	TOL.exe	105
PID 2688 set thread context of 3136	2688	TOL.exe	112
PID 4648 set thread context of 4408	4648	TOL.exe	121
PID 3000 set thread context of 3636	3000	TOL.exe	127
PID 3676 set thread context of 4032	3676	TOL.exe	137
PID 4540 set thread context of 4172	4540	TOL.exe	147
PID 4916 set thread context of 3772	4916	TOL.exe	151
PID 2012 set thread context of 1144	2012	TOL.exe	168
PID 1656 set thread context of 3324	1656	TOL.exe	171
PID 3012 set thread context of 4512	3012	TOL.exe	173
PID 2868 set thread context of 3840	2868	TOL.exe	189
PID 1784 set thread context of 2384	1784	TOL.exe	193
PID 4400 set thread context of 3096	4400	TOL.exe	195
PID 3080 set thread context of 4912	3080	TOL.exe	199
PID 4356 set thread context of 2424	4356	TOL.exe	212
PID 3440 set thread context of 2788	3440	TOL.exe	215
PID 4704 set thread context of 3000	4704	TOL.exe	235
PID 4948 set thread context of 4844	4948	TOL.exe	238
PID 3948 set thread context of 1956	3948	TOL.exe	242
PID 4976 set thread context of 4668	4976	TOL.exe	263
PID 3392 set thread context of 2384	3392	TOL.exe	268
PID 4948 set thread context of 3188	4948	TOL.exe	272
PID 2788 set thread context of 2860	2788	TOL.exe	275
PID 4480 set thread context of 2484	4480	TOL.exe	298
PID 4844 set thread context of 4944	4844	TOL.exe	302
PID 4992 set thread context of 2196	4992	TOL.exe	304
PID 1208 set thread context of 4240	1208	TOL.exe	306
PID 440 set thread context of 4948	440	TOL.exe	308
PID 4868 set thread context of 2424	4868	TOL.exe	319
PID 4492 set thread context of 4312	4492	TOL.exe	320
PID 4500 set thread context of 3260	4500	TOL.exe	326
PID 2428 set thread context of 440	2428	TOL.exe	337
PID 4924 set thread context of 3960	4924	TOL.exe	343
PID 1232 set thread context of 2476	1232	TOL.exe	347
PID 2224 set thread context of 2712	2224	TOL.exe	363
PID 1388 set thread context of 4724	1388	TOL.exe	365
PID 1124 set thread context of 1388	1124	TOL.exe	370
PID 5364 set thread context of 5392	5364	TOL.exe	392
PID 5456 set thread context of 5532	5456	TOL.exe	397
PID 5476 set thread context of 5564	5476	TOL.exe	398
PID 5692 set thread context of 5744	5692	TOL.exe	404
PID 6012 set thread context of 6044	6012	TOL.exe	422
PID 6100 set thread context of 5156	6100	TOL.exe	426
PID 5376 set thread context of 5452	5376	TOL.exe	431
PID 5468 set thread context of 5508	5468	TOL.exe	445
PID 5560 set thread context of 5616	5560	TOL.exe	449
PID 5840 set thread context of 5908	5840	TOL.exe	454
PID 5644 set thread context of 5420	5644	TOL.exe	462
PID 6068 set thread context of 5780	6068	TOL.exe	467
PID 5620 set thread context of 5560	5620	TOL.exe	483
PID 5312 set thread context of 5964	5312	TOL.exe	487
PID 6096 set thread context of 5696	6096	TOL.exe	491
PID 3324 set thread context of 1388	3324	TOL.exe	501
PID 5624 set thread context of 5612	5624	TOL.exe	504
PID 5644 set thread context of 6136	5644	TOL.exe	514
PID 5204 set thread context of 5532	5204	TOL.exe	516
PID 5396 set thread context of 5924	5396	TOL.exe	524
PID 3996 set thread context of 6000	3996	TOL.exe	531
PID 1732 set thread context of 6136	1732	TOL.exe	539
PID 5756 set thread context of 3732	5756	TOL.exe	549
PID 5204 set thread context of 3104	5204	TOL.exe	552

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1020457285.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	TOL.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2400	1020457285.exe
2400	1020457285.exe
2400	1020457285.exe
4444	TOL.exe
4444	TOL.exe
4444	TOL.exe
3492	TOL.exe
3492	TOL.exe
3500	TOL.exe
3500	TOL.exe
3492	TOL.exe
3500	TOL.exe
2688	TOL.exe
2688	TOL.exe
2688	TOL.exe
4648	TOL.exe
4648	TOL.exe
4648	TOL.exe
3000	TOL.exe
3000	TOL.exe
3000	TOL.exe
3676	TOL.exe
3676	TOL.exe
3676	TOL.exe
4540	TOL.exe
4540	TOL.exe
4540	TOL.exe
4916	TOL.exe
4916	TOL.exe
4916	TOL.exe
2012	TOL.exe
2012	TOL.exe
2012	TOL.exe
1656	TOL.exe
1656	TOL.exe
1656	TOL.exe
3012	TOL.exe
3012	TOL.exe
3012	TOL.exe
2868	TOL.exe
2868	TOL.exe
2868	TOL.exe
1784	TOL.exe
1784	TOL.exe
1784	TOL.exe
4400	TOL.exe
4400	TOL.exe
4400	TOL.exe
3080	TOL.exe
3080	TOL.exe
3080	TOL.exe
4356	TOL.exe
4356	TOL.exe
4356	TOL.exe
3440	TOL.exe
3440	TOL.exe
3440	TOL.exe
4704	TOL.exe
4704	TOL.exe
4704	TOL.exe
4948	TOL.exe
4948	TOL.exe
4948	TOL.exe
3948	TOL.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2400	1020457285.exe
2400	1020457285.exe
2400	1020457285.exe
4444	TOL.exe
4444	TOL.exe
4444	TOL.exe
3492	TOL.exe
3492	TOL.exe
3500	TOL.exe
3500	TOL.exe
3492	TOL.exe
3500	TOL.exe
2688	TOL.exe
2688	TOL.exe
2688	TOL.exe
4648	TOL.exe
4648	TOL.exe
4648	TOL.exe
3000	TOL.exe
3000	TOL.exe
3000	TOL.exe
3676	TOL.exe
3676	TOL.exe
3676	TOL.exe
4540	TOL.exe
4540	TOL.exe
4540	TOL.exe
4916	TOL.exe
4916	TOL.exe
4916	TOL.exe
2012	TOL.exe
2012	TOL.exe
2012	TOL.exe
1656	TOL.exe
1656	TOL.exe
1656	TOL.exe
3012	TOL.exe
3012	TOL.exe
3012	TOL.exe
2868	TOL.exe
2868	TOL.exe
2868	TOL.exe
1784	TOL.exe
1784	TOL.exe
1784	TOL.exe
4400	TOL.exe
4400	TOL.exe
4400	TOL.exe
3080	TOL.exe
3080	TOL.exe
3080	TOL.exe
4356	TOL.exe
4356	TOL.exe
4356	TOL.exe
3440	TOL.exe
3440	TOL.exe
3440	TOL.exe
4704	TOL.exe
4704	TOL.exe
4704	TOL.exe
4948	TOL.exe
4948	TOL.exe
4948	TOL.exe
3948	TOL.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 4480	2400	1020457285.exe	82
PID 2400 wrote to memory of 4480	2400	1020457285.exe	82
PID 2400 wrote to memory of 4480	2400	1020457285.exe	82
PID 2400 wrote to memory of 4480	2400	1020457285.exe	82
PID 2400 wrote to memory of 4480	2400	1020457285.exe	82
PID 2400 wrote to memory of 4480	2400	1020457285.exe	82
PID 2400 wrote to memory of 4480	2400	1020457285.exe	82
PID 2400 wrote to memory of 4480	2400	1020457285.exe	82
PID 4480 wrote to memory of 4980	4480	1020457285.exe	83
PID 4480 wrote to memory of 4980	4480	1020457285.exe	83
PID 4480 wrote to memory of 4980	4480	1020457285.exe	83
PID 4480 wrote to memory of 4980	4480	1020457285.exe	83
PID 4480 wrote to memory of 520	4480	1020457285.exe	84
PID 4480 wrote to memory of 520	4480	1020457285.exe	84
PID 4480 wrote to memory of 520	4480	1020457285.exe	84
PID 4480 wrote to memory of 5108	4480	1020457285.exe	85
PID 4480 wrote to memory of 5108	4480	1020457285.exe	85
PID 4480 wrote to memory of 5108	4480	1020457285.exe	85
PID 4480 wrote to memory of 4832	4480	1020457285.exe	86
PID 4480 wrote to memory of 4832	4480	1020457285.exe	86
PID 4480 wrote to memory of 4832	4480	1020457285.exe	86
PID 4480 wrote to memory of 852	4480	1020457285.exe	87
PID 4480 wrote to memory of 852	4480	1020457285.exe	87
PID 4480 wrote to memory of 852	4480	1020457285.exe	87
PID 4480 wrote to memory of 3084	4480	1020457285.exe	88
PID 4480 wrote to memory of 3084	4480	1020457285.exe	88
PID 4480 wrote to memory of 3084	4480	1020457285.exe	88
PID 4480 wrote to memory of 2600	4480	1020457285.exe	89
PID 4480 wrote to memory of 2600	4480	1020457285.exe	89
PID 4480 wrote to memory of 2600	4480	1020457285.exe	89
PID 4480 wrote to memory of 4424	4480	1020457285.exe	90
PID 4480 wrote to memory of 4424	4480	1020457285.exe	90
PID 4480 wrote to memory of 4424	4480	1020457285.exe	90
PID 4480 wrote to memory of 4684	4480	1020457285.exe	91
PID 4480 wrote to memory of 4684	4480	1020457285.exe	91
PID 4480 wrote to memory of 4444	4480	1020457285.exe	92
PID 4480 wrote to memory of 4444	4480	1020457285.exe	92
PID 4480 wrote to memory of 4444	4480	1020457285.exe	92
PID 4444 wrote to memory of 3592	4444	TOL.exe	93
PID 4444 wrote to memory of 3592	4444	TOL.exe	93
PID 4444 wrote to memory of 3592	4444	TOL.exe	93
PID 4444 wrote to memory of 3592	4444	TOL.exe	93
PID 4444 wrote to memory of 3592	4444	TOL.exe	93
PID 4444 wrote to memory of 3592	4444	TOL.exe	93
PID 4444 wrote to memory of 3592	4444	TOL.exe	93
PID 4444 wrote to memory of 3592	4444	TOL.exe	93
PID 3592 wrote to memory of 1452	3592	TOL.exe	94
PID 3592 wrote to memory of 1452	3592	TOL.exe	94
PID 3592 wrote to memory of 1452	3592	TOL.exe	94
PID 3592 wrote to memory of 1516	3592	TOL.exe	95
PID 3592 wrote to memory of 1516	3592	TOL.exe	95
PID 3592 wrote to memory of 1516	3592	TOL.exe	95
PID 3592 wrote to memory of 1432	3592	TOL.exe	96
PID 3592 wrote to memory of 1432	3592	TOL.exe	96
PID 3592 wrote to memory of 1432	3592	TOL.exe	96
PID 3592 wrote to memory of 1312	3592	TOL.exe	97
PID 3592 wrote to memory of 1312	3592	TOL.exe	97
PID 3592 wrote to memory of 1312	3592	TOL.exe	97
PID 3592 wrote to memory of 1836	3592	TOL.exe	98
PID 3592 wrote to memory of 1836	3592	TOL.exe	98
PID 3592 wrote to memory of 1836	3592	TOL.exe	98
PID 3592 wrote to memory of 1060	3592	TOL.exe	99
PID 3592 wrote to memory of 1060	3592	TOL.exe	99
PID 3592 wrote to memory of 1060	3592	TOL.exe	99

C:\Users\Admin\AppData\Local\Temp\1020457285.exe
"C:\Users\Admin\AppData\Local\Temp\1020457285.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\1020457285.exe
  "C:\Users\Admin\AppData\Local\Temp\1020457285.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Modifies registry class
    PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3492
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:224
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4348
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3740
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4236
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1552
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4780
      - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        9⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        
        PID:4032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2688
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        
        PID:3136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3000
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3636
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2352
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1636
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2796
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3904
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1112
      - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        9⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        11⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        
        PID:3096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4540
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4172
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3588
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5004
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4112
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3928
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1524
      - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        9⤵
        Executes dropped EXE
        
        PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2012
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1144
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Executes dropped EXE
        
        PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3080
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4472
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1504
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4460
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2784
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:404
      - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        9⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:1956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        11⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:1440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        13⤵
        Executes dropped EXE
        
        PID:4240
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4356
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2424
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4292
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3480
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2032
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4584
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2868
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:112
      - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        9⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        11⤵
        Executes dropped EXE
        
        PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4704
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Modifies registry class
        
        PID:3000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3252
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2828
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:968
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4344
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:704
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1664
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1696
      - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        9⤵
        Executes dropped EXE
        
        PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4976
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        
        PID:4668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4512
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1316
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:920
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4480
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2484
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:780
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3188
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4044
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1808
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        7⤵
        Executes dropped EXE
        
        PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:440
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Executes dropped EXE
        
        PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4868
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2424
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5052
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:424
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3892
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2312
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1344
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3880
      - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        7⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        8⤵
        Suspicious use of SetThreadContext
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        9⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        10⤵
        Suspicious use of SetThreadContext
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        11⤵
        
        PID:5532
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:4500
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3260
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1708
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1236
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4660
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4504
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3392
      - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        7⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        8⤵
        Suspicious use of SetThreadContext
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        9⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:1388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        10⤵
        Suspicious use of SetThreadContext
        
        PID:5692
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        11⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Modifies registry class
        
        PID:5744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        12⤵
        Suspicious use of SetThreadContext
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        13⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:4724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        14⤵
        Suspicious use of SetThreadContext
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        15⤵
        Modifies Installed Components in the registry
        
        PID:5908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5288
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:4924
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Modifies Installed Components in the registry
        
        PID:3960
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:1388
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Modifies registry class
        
        PID:4724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5140
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5180
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5264
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5304
      - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        7⤵
        Adds Run key to start application
        
        PID:5564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5980
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:5364
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5392
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5444
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5804
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5884
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5972
      - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        7⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        8⤵
        Suspicious use of SetThreadContext
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        9⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Modifies registry class
        
        PID:5616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        10⤵
        Suspicious use of SetThreadContext
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        11⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Modifies registry class
        
        PID:5780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        12⤵
        Suspicious use of SetThreadContext
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        13⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:5696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5336
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:6012
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Modifies Installed Components in the registry
        
        PID:6044
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6088
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:5468
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:5508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5668
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:5644
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5208
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4412
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5480
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5192
      - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        7⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:5964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5440
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:5620
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6068
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5968
      - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        7⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        8⤵
        Suspicious use of SetThreadContext
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        9⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        10⤵
        Suspicious use of SetThreadContext
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        11⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:6000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:1900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5372
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:3324
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:1388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5476
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:5644
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        
        PID:6136
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:5396
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:5924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3240
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:1732
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Checks computer location settings
        Modifies registry class
        
        PID:6136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5472
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5396
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3348
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5648
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5776
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5532
      - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        7⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        8⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        9⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:3492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5412
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:5756
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:3732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      PID:3292
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        
        PID:1340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:228
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4276
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:764
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:5108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4684
- - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
    "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
      4⤵
      Executes dropped EXE
      Modifies Installed Components in the registry
      Checks computer location settings
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4140
    - - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3500
      - C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe"
        6⤵
        Executes dropped EXE
        
        PID:3508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOLI\TOL.exe

Filesize
421KB

MD5
1f13d71974214e02ba361af8d9558288

SHA1
987c2c52cedb24cf2c094158a2597b9728edbe87

SHA256
b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa

SHA512
d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VhJl2Gz.cfg

Filesize
1KB

MD5
df29f690ca947656634bf8bd1faf8395

SHA1
a49bc4f6b13ef4a316c3e73fcdebe6a3fa6e86cf

SHA256
84ef200a8cf95a0bdd5df58cec5fa206dbca20ae8a819fe96230aa9d535ae4ae

SHA512
e84e30568fc9c4d50ee002b01cb5f85e1d6fabb701e4e0e8c11d519b16c7d5887349d1e1246b6fa1b0a7b1fbad919cfa58a45082cf1a4a584d98637b75618ed4

Download Submit
memory/224-178-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/224-192-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1144-281-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1144-275-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1656-268-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1784-301-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1784-307-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2012-257-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2384-323-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2384-320-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-136-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2400-132-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2424-368-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2424-356-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2688-186-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2788-355-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2868-294-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3000-376-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3000-210-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3012-274-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3012-282-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3080-330-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3096-319-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3096-333-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3136-202-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3136-189-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3324-273-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3324-299-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3440-353-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3492-165-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3500-173-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3508-177-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3592-155-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3592-152-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3592-153-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3592-160-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3636-237-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3636-213-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3676-221-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3772-271-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3772-247-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3840-322-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3840-300-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4032-225-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4032-239-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4172-262-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4172-248-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4356-342-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4400-316-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4408-216-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4408-200-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4444-151-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4444-146-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4480-145-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4480-134-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4480-141-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4480-137-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4480-138-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4512-311-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4512-286-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4540-234-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4648-198-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4704-365-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4844-375-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4912-347-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4912-334-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4916-244-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4948-372-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4980-142-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads