lockergoga | c75d27311d7c5271e0a415bf0e4d62da7e4567c38711cc003892884dfeb3b331

Analysis

max time kernel
39s
max time network
72s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/09/2023, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
Size

1.2MB
MD5

e82c5e5d888935b99f1d4404eee4d63f
SHA1

e1ceef1881c0b59b7f8c46c4009cf8188ba3a369
SHA256

c75d27311d7c5271e0a415bf0e4d62da7e4567c38711cc003892884dfeb3b331
SHA512

fd426a5bf0b1a5de8e50c6fc5ebe3eafe038d6317372874ea6a2277975403eb9c269834735226b5ab998107ef9f8333411f34cdab0893c1c3665a5277568e229
SSDEEP

24576:W5Rt4El7fc/TFJzjJUgrrCq5sNIwQsUGy1q7a9DlIACTp+kqGslRG4s:Wjt4El7fc/TFJWstwQsPdSDuACTpqhGv

Score

10^/10

lockergoga neshta banker persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Signatures

Detect Neshta payload 8 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010324-10.dat	family_neshta
behavioral1/memory/1792-141-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0002000000010364-162.dat	family_neshta
behavioral1/files/0x0001000000010322-163.dat	family_neshta
behavioral1/memory/1792-413-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x00050000000055de-417.dat	family_neshta
behavioral1/files/0x0003000000005ae0-427.dat	family_neshta
behavioral1/memory/1792-492-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Renames multiple (516) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 54 IoCs

pid	Process
2996	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
2920	tgytutrc3982.exe
1956	tgytutrc3982.exe
1280	tgytutrc3982.exe
2792	tgytutrc3982.exe
2848	tgytutrc3982.exe
2608	tgytutrc3982.exe
2844	tgytutrc3982.exe
2840	tgytutrc3982.exe
2040	tgytutrc3982.exe
2348	tgytutrc3982.exe
2916	tgytutrc3982.exe
2164	tgytutrc3982.exe
1552	tgytutrc3982.exe
2440	tgytutrc3982.exe
2096	tgytutrc3982.exe
2172	tgytutrc3982.exe
1788	tgytutrc3982.exe
1576	tgytutrc3982.exe
1608	tgytutrc3982.exe
2556	tgytutrc3982.exe
2576	tgytutrc3982.exe
1752	tgytutrc3982.exe
1312	tgytutrc3982.exe
2200	tgytutrc3982.exe
1468	tgytutrc3982.exe
1020	tgytutrc3982.exe
984	tgytutrc3982.exe
848	tgytutrc3982.exe
2188	tgytutrc3982.exe
1868	tgytutrc3982.exe
1812	tgytutrc3982.exe
1688	tgytutrc3982.exe
1876	tgytutrc3982.exe
1340	tgytutrc3982.exe
872	tgytutrc3982.exe
1588	tgytutrc3982.exe
1808	tgytutrc3982.exe
1604	tgytutrc3982.exe
2252	tgytutrc3982.exe
2680	tgytutrc3982.exe
2560	tgytutrc3982.exe
3008	tgytutrc3982.exe
328	tgytutrc3982.exe
1548	tgytutrc3982.exe
740	tgytutrc3982.exe
980	tgytutrc3982.exe
880	tgytutrc3982.exe
1780	tgytutrc3982.exe
1872	tgytutrc3982.exe
1380	tgytutrc3982.exe
540	tgytutrc3982.exe
1516	tgytutrc3982.exe
1080	tgytutrc3982.exe

Loads dropped DLL 2 IoCs

pid	Process
1792	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
1792	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll	tgytutrc3982.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js	tgytutrc3982.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	tgytutrc3982.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\EXPEDITN.ELM	tgytutrc3982.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\settings.html	tgytutrc3982.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\localizedStrings.js	tgytutrc3982.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\settings.js	tgytutrc3982.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif	tgytutrc3982.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303	tgytutrc3982.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui	tgytutrc3982.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js	tgytutrc3982.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\Office64MUISet.XML	tgytutrc3982.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterBold.ttf	tgytutrc3982.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1880	1204	WerFault.exe	4

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
1280	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2844	tgytutrc3982.exe
2848	tgytutrc3982.exe
2848	tgytutrc3982.exe
2848	tgytutrc3982.exe
2848	tgytutrc3982.exe
2848	tgytutrc3982.exe
2848	tgytutrc3982.exe
2848	tgytutrc3982.exe
2848	tgytutrc3982.exe
2848	tgytutrc3982.exe
2848	tgytutrc3982.exe
2848	tgytutrc3982.exe
2848	tgytutrc3982.exe
2848	tgytutrc3982.exe
2848	tgytutrc3982.exe
2608	tgytutrc3982.exe
2608	tgytutrc3982.exe
2840	tgytutrc3982.exe
2840	tgytutrc3982.exe
1956	tgytutrc3982.exe
1956	tgytutrc3982.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1588	tgytutrc3982.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
Token: SeBackupPrivilege	2996	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
Token: SeRestorePrivilege	2996	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
Token: SeLockMemoryPrivilege	2996	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
Token: SeCreateGlobalPrivilege	2996	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
Token: SeDebugPrivilege	2920	tgytutrc3982.exe
Token: SeBackupPrivilege	2920	tgytutrc3982.exe
Token: SeRestorePrivilege	2920	tgytutrc3982.exe
Token: SeLockMemoryPrivilege	2920	tgytutrc3982.exe
Token: SeCreateGlobalPrivilege	2920	tgytutrc3982.exe
Token: SeDebugPrivilege	1280	tgytutrc3982.exe
Token: SeBackupPrivilege	1280	tgytutrc3982.exe
Token: SeRestorePrivilege	1280	tgytutrc3982.exe
Token: SeLockMemoryPrivilege	1280	tgytutrc3982.exe
Token: SeCreateGlobalPrivilege	1280	tgytutrc3982.exe
Token: SeDebugPrivilege	1956	tgytutrc3982.exe
Token: SeDebugPrivilege	2792	tgytutrc3982.exe
Token: SeDebugPrivilege	2848	tgytutrc3982.exe
Token: SeBackupPrivilege	1956	tgytutrc3982.exe
Token: SeBackupPrivilege	2792	tgytutrc3982.exe
Token: SeBackupPrivilege	2848	tgytutrc3982.exe
Token: SeRestorePrivilege	1956	tgytutrc3982.exe
Token: SeRestorePrivilege	2792	tgytutrc3982.exe
Token: SeRestorePrivilege	2848	tgytutrc3982.exe
Token: SeLockMemoryPrivilege	1956	tgytutrc3982.exe
Token: SeLockMemoryPrivilege	2792	tgytutrc3982.exe
Token: SeLockMemoryPrivilege	2848	tgytutrc3982.exe
Token: SeCreateGlobalPrivilege	1956	tgytutrc3982.exe
Token: SeCreateGlobalPrivilege	2792	tgytutrc3982.exe
Token: SeCreateGlobalPrivilege	2848	tgytutrc3982.exe
Token: SeDebugPrivilege	2608	tgytutrc3982.exe
Token: SeBackupPrivilege	2608	tgytutrc3982.exe
Token: SeRestorePrivilege	2608	tgytutrc3982.exe
Token: SeLockMemoryPrivilege	2608	tgytutrc3982.exe
Token: SeCreateGlobalPrivilege	2608	tgytutrc3982.exe
Token: SeDebugPrivilege	2844	tgytutrc3982.exe
Token: SeDebugPrivilege	2840	tgytutrc3982.exe
Token: SeBackupPrivilege	2844	tgytutrc3982.exe
Token: SeBackupPrivilege	2840	tgytutrc3982.exe
Token: SeRestorePrivilege	2844	tgytutrc3982.exe
Token: SeRestorePrivilege	2840	tgytutrc3982.exe
Token: SeLockMemoryPrivilege	2844	tgytutrc3982.exe
Token: SeLockMemoryPrivilege	2840	tgytutrc3982.exe
Token: SeCreateGlobalPrivilege	2844	tgytutrc3982.exe
Token: SeCreateGlobalPrivilege	2840	tgytutrc3982.exe
Token: SeDebugPrivilege	2348	tgytutrc3982.exe
Token: SeBackupPrivilege	2348	tgytutrc3982.exe
Token: SeRestorePrivilege	2348	tgytutrc3982.exe
Token: SeLockMemoryPrivilege	2348	tgytutrc3982.exe
Token: SeCreateGlobalPrivilege	2348	tgytutrc3982.exe
Token: SeDebugPrivilege	2040	tgytutrc3982.exe
Token: SeBackupPrivilege	2040	tgytutrc3982.exe
Token: SeRestorePrivilege	2040	tgytutrc3982.exe
Token: SeLockMemoryPrivilege	2040	tgytutrc3982.exe
Token: SeCreateGlobalPrivilege	2040	tgytutrc3982.exe
Token: SeDebugPrivilege	2916	tgytutrc3982.exe
Token: SeBackupPrivilege	2916	tgytutrc3982.exe
Token: SeRestorePrivilege	2916	tgytutrc3982.exe
Token: SeLockMemoryPrivilege	2916	tgytutrc3982.exe
Token: SeCreateGlobalPrivilege	2916	tgytutrc3982.exe
Token: SeDebugPrivilege	2164	tgytutrc3982.exe
Token: SeBackupPrivilege	2164	tgytutrc3982.exe
Token: SeRestorePrivilege	2164	tgytutrc3982.exe
Token: SeLockMemoryPrivilege	2164	tgytutrc3982.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2996	1792	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe	28
PID 1792 wrote to memory of 2996	1792	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe	28
PID 1792 wrote to memory of 2996	1792	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe	28
PID 1792 wrote to memory of 2996	1792	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe	28
PID 2996 wrote to memory of 2764	2996	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe	29
PID 2996 wrote to memory of 2764	2996	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe	29
PID 2996 wrote to memory of 2764	2996	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe	29
PID 2996 wrote to memory of 2764	2996	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe	29
PID 2996 wrote to memory of 2920	2996	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe	31
PID 2996 wrote to memory of 2920	2996	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe	31
PID 2996 wrote to memory of 2920	2996	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe	31
PID 2996 wrote to memory of 2920	2996	2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe	31
PID 2920 wrote to memory of 2484	2920	tgytutrc3982.exe	34
PID 2920 wrote to memory of 2484	2920	tgytutrc3982.exe	34
PID 2920 wrote to memory of 2484	2920	tgytutrc3982.exe	34
PID 2920 wrote to memory of 2484	2920	tgytutrc3982.exe	34
PID 2920 wrote to memory of 2744	2920	tgytutrc3982.exe	33
PID 2920 wrote to memory of 2744	2920	tgytutrc3982.exe	33
PID 2920 wrote to memory of 2744	2920	tgytutrc3982.exe	33
PID 2920 wrote to memory of 2744	2920	tgytutrc3982.exe	33
PID 2920 wrote to memory of 2652	2920	tgytutrc3982.exe	35
PID 2920 wrote to memory of 2652	2920	tgytutrc3982.exe	35
PID 2920 wrote to memory of 2652	2920	tgytutrc3982.exe	35
PID 2920 wrote to memory of 2652	2920	tgytutrc3982.exe	35
PID 2920 wrote to memory of 2284	2920	tgytutrc3982.exe	36
PID 2920 wrote to memory of 2284	2920	tgytutrc3982.exe	36
PID 2920 wrote to memory of 2284	2920	tgytutrc3982.exe	36
PID 2920 wrote to memory of 2284	2920	tgytutrc3982.exe	36
PID 2920 wrote to memory of 2904	2920	tgytutrc3982.exe	37
PID 2920 wrote to memory of 2904	2920	tgytutrc3982.exe	37
PID 2920 wrote to memory of 2904	2920	tgytutrc3982.exe	37
PID 2920 wrote to memory of 2904	2920	tgytutrc3982.exe	37
PID 2920 wrote to memory of 2152	2920	tgytutrc3982.exe	40
PID 2920 wrote to memory of 2152	2920	tgytutrc3982.exe	40
PID 2920 wrote to memory of 2152	2920	tgytutrc3982.exe	40
PID 2920 wrote to memory of 2152	2920	tgytutrc3982.exe	40
PID 2152 wrote to memory of 2560	2152	net.exe	44
PID 2152 wrote to memory of 2560	2152	net.exe	44
PID 2152 wrote to memory of 2560	2152	net.exe	44
PID 2920 wrote to memory of 2988	2920	tgytutrc3982.exe	45
PID 2920 wrote to memory of 2988	2920	tgytutrc3982.exe	45
PID 2920 wrote to memory of 2988	2920	tgytutrc3982.exe	45
PID 2920 wrote to memory of 2988	2920	tgytutrc3982.exe	45
PID 2988 wrote to memory of 1156	2988	net.exe	47
PID 2988 wrote to memory of 1156	2988	net.exe	47
PID 2988 wrote to memory of 1156	2988	net.exe	47
PID 2920 wrote to memory of 1280	2920	tgytutrc3982.exe	48
PID 2920 wrote to memory of 1280	2920	tgytutrc3982.exe	48
PID 2920 wrote to memory of 1280	2920	tgytutrc3982.exe	48
PID 2920 wrote to memory of 1280	2920	tgytutrc3982.exe	48
PID 2920 wrote to memory of 1956	2920	tgytutrc3982.exe	49
PID 2920 wrote to memory of 1956	2920	tgytutrc3982.exe	49
PID 2920 wrote to memory of 1956	2920	tgytutrc3982.exe	49
PID 2920 wrote to memory of 1956	2920	tgytutrc3982.exe	49
PID 2920 wrote to memory of 2608	2920	tgytutrc3982.exe	50
PID 2920 wrote to memory of 2608	2920	tgytutrc3982.exe	50
PID 2920 wrote to memory of 2608	2920	tgytutrc3982.exe	50
PID 2920 wrote to memory of 2608	2920	tgytutrc3982.exe	50
PID 2920 wrote to memory of 2792	2920	tgytutrc3982.exe	52
PID 2920 wrote to memory of 2792	2920	tgytutrc3982.exe	52
PID 2920 wrote to memory of 2792	2920	tgytutrc3982.exe	52
PID 2920 wrote to memory of 2792	2920	tgytutrc3982.exe	52
PID 2920 wrote to memory of 2844	2920	tgytutrc3982.exe	51
PID 2920 wrote to memory of 2844	2920	tgytutrc3982.exe	51

C:\Users\Admin\AppData\Local\Temp\2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\3582-490\2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\3582-490\2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
    3⤵
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -m
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\system32\logoff.exe
      C:\Windows\system32\logoff.exe 0
      4⤵
      PID:2744
  - - C:\Windows\system32\logoff.exe
      C:\Windows\system32\logoff.exe 0
      4⤵
      PID:2484
  - - C:\Windows\system32\logoff.exe
      C:\Windows\system32\logoff.exe 0
      4⤵
      PID:2652
  - - C:\Windows\system32\logoff.exe
      C:\Windows\system32\logoff.exe 0
      4⤵
      PID:2284
  - - C:\Windows\system32\logoff.exe
      C:\Windows\system32\logoff.exe 0
      4⤵
      PID:2904
  - - C:\Windows\system32\net.exe
      C:\Windows\system32\net.exe user Admin HuHuHUHoHo283283@dJD
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin HuHuHUHoHo283283@dJD
        5⤵
        
        PID:2560
  - - C:\Windows\system32\net.exe
      C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD
        5⤵
        
        PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:984
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:848
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:872
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:328
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:740
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:980
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:880
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1780
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:540
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:956
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      Suspicious behavior: RenamesItself
      PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:884
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:320
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:980
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:660
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:392
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2240
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:292
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:372
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1320
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:272
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:624
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:320
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:328
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1248
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:112
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:736
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:552
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:296
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:880
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:924
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:528
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:828
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:616
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:328
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:872
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:672
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:688
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1268
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:616
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:368
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:576
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:660
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:684
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:624
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:292
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:528
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:984
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:372
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:576
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:672
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1320
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:872
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2504
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:916
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1028
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:764
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:296
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:908
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:572
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:440
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:952
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:936
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:804
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:320
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:684
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:660
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:156
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:572
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:920
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:304
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      Executes dropped EXE
      PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:576
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2220
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:736
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:540
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe -i SM-tgytutrc -s
      4⤵
      PID:2916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1204 -s 1408
1⤵
- Program crash
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
186KB

MD5
18f91cb2e509a184b5e9a17ea43f70b1

SHA1
c9d14869c34c5beff3b59bb6611cedc629d0def0

SHA256
ca945ceb4565394bc2541cab24544c3dc70a366e2615301cd2777829e883e9b0

SHA512
16b0388acbd6a355e813c6bc2b84228743129861b0063c40237ac89c1038dd2329162ceda988c40fe08f65d056a83d0ee4c7a13da0cead3bbea30160a98c50dc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
548KB

MD5
a34294d0a18848c5f4b666ea2335b38b

SHA1
21045bbf6665ccdaf29f541812bc477c4a596edb

SHA256
55af2096a203f8f057e7d43a2cff68db0cb8e1a68c1e19c9e5779d9152de480c

SHA512
8251f7244a7490ce69bfe35b46e7b9297495c11092e1fc21f5e7a7647f4a418c3148df2af426c659cd60f466ad7e3db879de05e673efedb6bfa9f80c9f8b38fc

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
674KB

MD5
ca4d823b4dd4ef4aecceebe32b83c110

SHA1
087f52eebaef4258b8619902b943ac3a6a6282b9

SHA256
f14aa68cb8b347bfa4f1906a887f6b1f4415668c00bdeb0c7121fe766da758f6

SHA512
d2b57a56af5402aef30a4668f296b65f57111171e39fbd0ad0f5a9a30be92f7e25a0f311327d5558d26f80844d45d9bc9bf0b971bfa2042e72c873c708f0ef89

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
495KB

MD5
5426944af6f7929cfe5ed180a2bd1141

SHA1
a8782485425225a80cff05fdfbeb72bcf8901632

SHA256
7694af44516546e54b02f7bac1c658522928a0041165fa887f388f9374897d03

SHA512
fcb17c737004a4f69231d20ec0718bc6b0058327073a7421d58225a992d4fe9b3926740bbfd0f031ee33bee60b05fed1435a107421e21b6ae7726306c714584b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgytutrc3982.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
b0c3680511bb097c2b306a275ed5740e

SHA1
af8d16caf2bc6ec3b79d2ee5b8032d61f6b07d2d

SHA256
7fa663bf6aa840278f94e46ae7572bb41474adf1d80e8ab4ec5e4550fcf30314

SHA512
bbe0eec4863d226eca393380ae6fa662c24563bf4fffd1b96b11b45d7cce23c0fea0fae5f66cc743f6acfe3cea89c4218e463dc29cda4f2bbc0ff352bd9d3270

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\2023-08-22_e82c5e5d888935b99f1d4404eee4d63f_locker-goga_neshta_JC.exe

Filesize
1.2MB

MD5
a875bb6ba6d2c986ed2cf086f1046e4f

SHA1
7cca904e7a581057bd3d21545a097b336fff3fc9

SHA256
cc39fa68ba131e673ef7617e76af43a3094ca1379337339c21e6f687ebed177e

SHA512
d80a3160915a7b494f5058287596241a2716ce3bf0142a91db5dbe6a45634829815afd737023df7bd71eb4d73ee19e226b4cf0be3bcbe12d8ad606e780bfbe69

Download Submit
memory/1792-413-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1792-141-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1792-492-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download