phemedrone | de08c69d06b2f176058aa6001b9f9195ef9599f1f79b783e21762046258583d3

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcrat/DCRat.exe
Size

15.7MB
MD5

f0c212a5f3cb30f35c1022ca2e172310
SHA1

89314ac31d667f81f603b3dab508dda12febb126
SHA256

6a465d867459eb8b26608afa566973ad424afb0b12d3e266706e8c42da3c6908
SHA512

15b562bae7c8977366f46ea71c1bf72d99da77904561e99a10bbc6ad88b3b8bd1e811712ca69410b98f9e492ffe4205bc4782a22304a6f0d73cd2d90a334c90f
SSDEEP

393216:q/HI7rq9dB4FTqNEkS2DZVBcZn0uDLpBjp2NkM5:qwCrBJlSCcZ0iNGz5

Score

10^/10

phemedrone microsoft discovery phishing spyware stealer

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DCRat.exeSetupTcpipDriver.exeHelper.exeHelper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	DCRat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	SetupTcpipDriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Helper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Helper.exe

Drops startup file 3 IoCs

Processes:

regedit.exeSetupTcpipDriver.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe	regedit.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe	SetupTcpipDriver.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe	SetupTcpipDriver.exe

Executes dropped EXE 11 IoCs

Processes:

DCRatLauncher.exeSetupUDPDriver.exeHyfatok.exeSetupTCPIP6Driver.exeSetupTcpipDriver.exeregedit.exeCL_Debug_Log.txtHelper.exeHelper.exeHelper.exetor.exe

pid	process
2468	DCRatLauncher.exe
3216	SetupUDPDriver.exe
3068	Hyfatok.exe
4588	SetupTCPIP6Driver.exe
396	SetupTcpipDriver.exe
3264	regedit.exe
3688	CL_Debug_Log.txt
6456	Helper.exe
1524	Helper.exe
6904	Helper.exe
7092	tor.exe

Loads dropped DLL 6 IoCs

Processes:

tor.exe

pid process

7092 tor.exe
7092 tor.exe
7092 tor.exe
7092 tor.exe
7092 tor.exe
7092 tor.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3400 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 ip-api.com
42 ip-api.com

pid	process
7092	tor.exe
7092	tor.exe
7092	tor.exe
7092	tor.exe
7092	tor.exe
7092	tor.exe

pid	process
3400	icacls.exe

flow	ioc
27	ip-api.com
42	ip-api.com

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\64.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\32.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in System32 directory 5 IoCs

Processes:

DCRat.exeSetupTcpipDriver.exe

description	ioc	process
File created	C:\Windows\System32\SetupTCPIP6Driver.exe	DCRat.exe
File opened for modification	C:\Windows\System32\SetupTCPIP6Driver.exe	DCRat.exe
File created	C:\Windows\System32\SetupTcpipDriver.exe	DCRat.exe
File opened for modification	C:\Windows\System32\SetupTcpipDriver.exe	DCRat.exe
File opened for modification	C:\Windows\System32\SetupTcpipDriver.exe	SetupTcpipDriver.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Helper.exe

description pid process target process

PID 1524 set thread context of 6904 1524 Helper.exe Helper.exe

description	pid	process	target process
PID 1524 set thread context of 6904	1524	Helper.exe	Helper.exe

Drops file in Program Files directory 12 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2412 schtasks.exe

pid	process
2412	schtasks.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
2624	timeout.exe
2300	timeout.exe
5928	timeout.exe
5704	timeout.exe
5132	timeout.exe
6948	timeout.exe
1016	timeout.exe
860	timeout.exe
6512	timeout.exe
6348	timeout.exe
3540	timeout.exe
2028	timeout.exe
7932	timeout.exe
860	timeout.exe
6156	timeout.exe
5088	timeout.exe
6480	timeout.exe
4532	timeout.exe
6596	timeout.exe
6140	timeout.exe
5972	timeout.exe
6904	timeout.exe
4564	timeout.exe
7788	timeout.exe
6076	timeout.exe
5516	timeout.exe
7120	timeout.exe
5720	timeout.exe
5364	timeout.exe
7540	timeout.exe
4284	timeout.exe
6044	timeout.exe
6832	timeout.exe
6340	timeout.exe
7164	timeout.exe
3756	timeout.exe
2092	timeout.exe
3692	timeout.exe
644	timeout.exe
4300	timeout.exe
5268	timeout.exe
3304	timeout.exe
5296	timeout.exe
5884	timeout.exe
5944	timeout.exe
6468	timeout.exe
7260	timeout.exe
7292	timeout.exe
5008	timeout.exe
6624	timeout.exe
5812	timeout.exe
7604	timeout.exe
8056	timeout.exe
5720	timeout.exe
6636	timeout.exe
7060	timeout.exe
3268	timeout.exe
6576	timeout.exe
6460	timeout.exe
3648	timeout.exe
5920	timeout.exe
3868	timeout.exe
6732	timeout.exe
6620	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 3 IoCs

Processes:

SetupUDPDriver.exeHelper.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\dcrat\winmgmts:\QMWIRSIY\root\CIMV2	SetupUDPDriver.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\root\cimv2	Helper.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\QMWIRSIY\root\CIMV2	Helper.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

3264 regedit.exe

pid	process
3264	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DCRat.exepowershell.exepowershell.exepowershell.exeHyfatok.exepowershell.exeSetupUDPDriver.exe

pid	process
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
64	DCRat.exe
4568	powershell.exe
4568	powershell.exe
5052	powershell.exe
5052	powershell.exe
2768	powershell.exe
2768	powershell.exe
3068	Hyfatok.exe
1064	powershell.exe
1064	powershell.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

2400 msedge.exe
2400 msedge.exe
2400 msedge.exe
2400 msedge.exe
2400 msedge.exe
2400 msedge.exe
2400 msedge.exe
2400 msedge.exe
2400 msedge.exe

pid	process
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

DCRat.exepowershell.exepowershell.exepowershell.exeHyfatok.exepowershell.exepowershell.exeCL_Debug_Log.txtHelper.exe

description	pid	process
Token: SeDebugPrivilege	64	DCRat.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	3068	Hyfatok.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeRestorePrivilege	3688	CL_Debug_Log.txt
Token: 35	3688	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3688	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3688	CL_Debug_Log.txt
Token: SeRestorePrivilege	6904	Helper.exe
Token: 35	6904	Helper.exe
Token: SeSecurityPrivilege	6904	Helper.exe
Token: SeSecurityPrivilege	6904	Helper.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

SetupUDPDriver.exemsedge.exeHelper.exeHelper.exe

pid	process
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
6456	Helper.exe
6456	Helper.exe
6456	Helper.exe
1524	Helper.exe
1524	Helper.exe
1524	Helper.exe

Suspicious use of SendNotifyMessage 33 IoCs

Processes:

SetupUDPDriver.exemsedge.exeHelper.exeHelper.exe

pid	process
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
3216	SetupUDPDriver.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
2400	msedge.exe
6456	Helper.exe
6456	Helper.exe
6456	Helper.exe
1524	Helper.exe
1524	Helper.exe
1524	Helper.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DCRat.exeDCRatLauncher.exejavaw.exeSetupTcpipDriver.exeSetupUDPDriver.execmd.exeSetupTCPIP6Driver.exemsedge.execmd.exe

description	pid	process	target process
PID 64 wrote to memory of 4568	64	DCRat.exe	powershell.exe
PID 64 wrote to memory of 4568	64	DCRat.exe	powershell.exe
PID 64 wrote to memory of 2468	64	DCRat.exe	DCRatLauncher.exe
PID 64 wrote to memory of 2468	64	DCRat.exe	DCRatLauncher.exe
PID 64 wrote to memory of 2468	64	DCRat.exe	DCRatLauncher.exe
PID 64 wrote to memory of 5052	64	DCRat.exe	powershell.exe
PID 64 wrote to memory of 5052	64	DCRat.exe	powershell.exe
PID 2468 wrote to memory of 3248	2468	DCRatLauncher.exe	javaw.exe
PID 2468 wrote to memory of 3248	2468	DCRatLauncher.exe	javaw.exe
PID 64 wrote to memory of 3216	64	DCRat.exe	SetupUDPDriver.exe
PID 64 wrote to memory of 3216	64	DCRat.exe	SetupUDPDriver.exe
PID 64 wrote to memory of 3216	64	DCRat.exe	SetupUDPDriver.exe
PID 3248 wrote to memory of 3400	3248	javaw.exe	icacls.exe
PID 3248 wrote to memory of 3400	3248	javaw.exe	icacls.exe
PID 64 wrote to memory of 2768	64	DCRat.exe	powershell.exe
PID 64 wrote to memory of 2768	64	DCRat.exe	powershell.exe
PID 64 wrote to memory of 3068	64	DCRat.exe	Hyfatok.exe
PID 64 wrote to memory of 3068	64	DCRat.exe	Hyfatok.exe
PID 64 wrote to memory of 1064	64	DCRat.exe	powershell.exe
PID 64 wrote to memory of 1064	64	DCRat.exe	powershell.exe
PID 64 wrote to memory of 4588	64	DCRat.exe	SetupTCPIP6Driver.exe
PID 64 wrote to memory of 4588	64	DCRat.exe	SetupTCPIP6Driver.exe
PID 64 wrote to memory of 4588	64	DCRat.exe	SetupTCPIP6Driver.exe
PID 64 wrote to memory of 2088	64	DCRat.exe	powershell.exe
PID 64 wrote to memory of 2088	64	DCRat.exe	powershell.exe
PID 64 wrote to memory of 396	64	DCRat.exe	timeout.exe
PID 64 wrote to memory of 396	64	DCRat.exe	timeout.exe
PID 396 wrote to memory of 3264	396	SetupTcpipDriver.exe	regedit.exe
PID 396 wrote to memory of 3264	396	SetupTcpipDriver.exe	regedit.exe
PID 3216 wrote to memory of 3688	3216	SetupUDPDriver.exe	CL_Debug_Log.txt
PID 3216 wrote to memory of 3688	3216	SetupUDPDriver.exe	CL_Debug_Log.txt
PID 3216 wrote to memory of 3688	3216	SetupUDPDriver.exe	CL_Debug_Log.txt
PID 3216 wrote to memory of 4376	3216	SetupUDPDriver.exe	cmd.exe
PID 3216 wrote to memory of 4376	3216	SetupUDPDriver.exe	cmd.exe
PID 3216 wrote to memory of 4376	3216	SetupUDPDriver.exe	cmd.exe
PID 4376 wrote to memory of 2412	4376	cmd.exe	timeout.exe
PID 4376 wrote to memory of 2412	4376	cmd.exe	timeout.exe
PID 4376 wrote to memory of 2412	4376	cmd.exe	timeout.exe
PID 4588 wrote to memory of 2400	4588	SetupTCPIP6Driver.exe	msedge.exe
PID 4588 wrote to memory of 2400	4588	SetupTCPIP6Driver.exe	msedge.exe
PID 3216 wrote to memory of 1948	3216	SetupUDPDriver.exe	cmd.exe
PID 3216 wrote to memory of 1948	3216	SetupUDPDriver.exe	cmd.exe
PID 3216 wrote to memory of 1948	3216	SetupUDPDriver.exe	cmd.exe
PID 2400 wrote to memory of 3248	2400	msedge.exe	msedge.exe
PID 2400 wrote to memory of 3248	2400	msedge.exe	msedge.exe
PID 1948 wrote to memory of 720	1948	cmd.exe	RuntimeBroker.exe
PID 1948 wrote to memory of 720	1948	cmd.exe	RuntimeBroker.exe
PID 1948 wrote to memory of 720	1948	cmd.exe	RuntimeBroker.exe
PID 1948 wrote to memory of 2588	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 2588	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 2588	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 4712	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 4712	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 4712	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 3096	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 3096	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 3096	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 1276	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 1276	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 1276	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 1592	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 1592	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 1592	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 1016	1948	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\dcrat\DCRat.exe
"C:\Users\Admin\AppData\Local\Temp\dcrat\DCRat.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllI.jar;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllIIilIl.jar;lib\IIlIlIllIIlIIllIIllIIlIIIllIlIlIlIIIIlIlIllIIlIIllIIIIIllIIIIlIIIlIIlIIlIIlIllIIlllIIIllIIIlIIlIllllIllIIIIlIIIlIllllllI.jar;lib\IlIIlIllllIIIIIlIlllIllIlIlIIIIIlIIIlIlIlllIIllIllIIIIIIlIIlllIIIlIIIlllIIIlllllIlIlIlllllIIlIllIIlIIlIIlIIIlllllllIlIII.jar;lib\IlIlIIIIIIIlIlllllllIllIIlIIllIllllIIIlIIIlIlIIlIIlIIlIllIlllIlIlIIllIIlIIIIIIIlIIIIIIIIIlIlllIIllIlIIlIIIlIlIlllIIIIIIl.jar;lib\IlIllIIllllllllIlIIlllllIIIIllIIIlIIlllIIllIIllllIIllIlIIIlIIIIlIIIIIlllllllIllIIlIlIllIIlIlIlIIllIlIllIIIlIIIIlIllIIIIl.jar;lib\IllIIIIllIlIIIIlIlIllIIlIIllIIlIllIIlllllIlllIllIlIIlIIlllIIlIlIlIllIllIIlIIIlIIIllIIIIIllIIlllllIlIIIIIlIIIIIIIIIIIIlII.jar;lib\lIIllIIlIlllIlIlllIlIIlIIIlllllIIlIlIIllIllIlIlllIlIIlIlIlIIllIlIIIIIllIIlIIlIIlIIllIIIlIIllIlIIIIlIlIIlIIlIllIIlIIlIlIl.jar;lib\llIlIIIIlIlIlllllIlIIllllIIIlIlIllllIIllllIlllIIlllllIIlIlllIIIIIIlIIllIIIlIlIlllIlIIIlIIIIIllIlllIlllIIllIIllIlIlIIlllI.jar;lib\llIlIlIIIllllIIIllllllllllIllIlIlllIIlllIIlllIIllIIllllIlllIIIIIllllIIlllIIllIIIIlIlIlIlIIIlIIIlIlIlIlIIlllIIlllIlIlIlII.jar;lib\lllIIlIlIIlIIllllIIllllIIlIllllIIIlIllllIIllIIIlllIIIIIIlIIlllIIllIllIIlllIlIIlIlIlllIIlllIlllIlIIlIIIllIlllIIIlIIIIIlll.jar;lib\lllIlIIIIIlIllIlIlIIllIlIIIlIIllIllllIIIIIllIlllIllIIllIIllIllIllIIlIlllllIIlIllIllIIlIIlIIIllIlIlIIlIIIIIIIllIIlllIllIl.jar;lib\llllIlIIIIIllllIlIIIlIllIlIIIllllIIIllIllllIIlllIlIIIlllIIlIlIlllIIlIIIIlIIIIlllIIlIIlIlIIIIIIIIllllIllIlIIIlIllIlIlIIll.jar;lib\llllIlIIlIllllIlIlIIIlIIIlIllIlIIIIlIlIIlIlIIIIllIIlIIllIIIllllIlIllIlllllIIIIIIIIllIllIlIlllllllIllIIIllllIIllIIlIllIll.jar" org.develnext.jphp.ext.javafx.FXLauncher
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      4⤵
      Modifies file permissions
      PID:3400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe
  "C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
    C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      4⤵
      Creates scheduled task(s)
      PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\SETUPU~1.EXE"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\SETUPU~1.EXE" exit)
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4712
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3096
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1276
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1016
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3360
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:396
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3976
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2228
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4812
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3620
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:3648
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2560
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4856
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4812
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4968
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4068
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4632
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1384
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:3692
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4632
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:4300
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4568
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3376
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2300
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4568
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4376
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1384
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2336
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4632
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1384
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1008
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4632
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5140
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5160
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5188
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5228
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5372
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5444
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5488
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5508
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5532
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5580
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5608
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5628
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5652
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5672
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5692
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5716
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5740
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5776
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5968
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6012
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6056
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6076
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6140
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3360
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4004
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5564
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:4284
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5744
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5304
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5332
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5400
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5312
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5260
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5296
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5360
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5256
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5972
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6004
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6024
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6044
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6056
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6108
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:644
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3744
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3868
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4704
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5168
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5372
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5468
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5176
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5516
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5540
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5684
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5584
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5884
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5892
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5860
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5744
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5304
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5284
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5296
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5784
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5976
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:216
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6044
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6076
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:860
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5152
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4152
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3068
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5500
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5680
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5740
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5316
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5368
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5400
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5356
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5396
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5980
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4888
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4332
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5740
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5416
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5268
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5328
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5356
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5976
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6044
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6076
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6024
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5188
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4764
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5516
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5564
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5884
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4332
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5912
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5276
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5428
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5704
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4328
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:860
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6024
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5456
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5516
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4848
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4332
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5924
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5784
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5704
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6080
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4152
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4764
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5680
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5904
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4848
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5368
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5276
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5784
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:644
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:860
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4152
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5672
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5884
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5364
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5368
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6080
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6024
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3868
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5680
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5904
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:984
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5368
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5008
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3268
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:3868
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5364
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5924
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6044
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6080
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6024
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3868
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5364
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5004
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:3268
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5268
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3268
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3272
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6080
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5364
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5004
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5268
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6080
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5884
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5268
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6080
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6156
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6176
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6200
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6220
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6240
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6260
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6288
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6308
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6328
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6348
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6368
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6388
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6448
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6468
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6488
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6532
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6552
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6576
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6596
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6616
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6656
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6676
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6744
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6764
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6784
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6808
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6828
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6848
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6868
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6892
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6916
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6980
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7000
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7020
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7048
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7068
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7112
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7136
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7156
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6156
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6204
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4148
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6252
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6272
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6312
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6340
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6348
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6432
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6452
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4404
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5132
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6516
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6540
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6552
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6608
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6644
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6656
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6704
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6736
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6744
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6788
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6816
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6828
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6872
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6904
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6924
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6968
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6980
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7028
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7056
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7068
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7116
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7136
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6180
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6200
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6228
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6300
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6316
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6340
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6400
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6280
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6288
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6500
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6520
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6604
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6832
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6132
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6880
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7124
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6192
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6228
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6292
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6352
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6340
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6472
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6524
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6732
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6832
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6924
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6872
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6984
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7024
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4976
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6812
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6292
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6316
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6340
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6480
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4536
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1068
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6596
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6788
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6456
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5692
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:772
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7008
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6984
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5852
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7104
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6980
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6208
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3756
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6396
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6460
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6480
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6500
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6508
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3304
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3732
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6732
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:7164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:3540
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7028
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3192
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2028
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:3756
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6316
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6288
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6480
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6520
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3304
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:428
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6948
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6336
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6168
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4376
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3192
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6904
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:4532
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6396
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6620
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6520
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6916
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6336
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6168
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7028
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3192
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4532
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6180
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:6596
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:3304
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6948
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6732
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4564
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7120
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6340
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3916
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2092
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6884
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6168
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4572
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4532
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4536
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4312
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4196
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:4564
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6140
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3188
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6180
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:428
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:5812
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:7120
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:5864
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6948
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:7060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3188
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3916
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4568
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3188
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6620
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3188
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:428
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3788
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:6992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7176
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7196
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7216
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7240
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:7260
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:7292
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7344
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7420
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7484
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7532
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:7604
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7716
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7808
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7892
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:8056
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:8128
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7184
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7312
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7412
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:8044
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:8172
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7288
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7320
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7436
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7520
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7232
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7840
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:7932
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:4312
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7204
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7448
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7832
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7952
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:8064
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:7300
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:7540
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:7788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe
  "C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SetupTCPIP6Driver.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\System32\SetupTCPIP6Driver.exe
  "C:\Windows\System32\SetupTCPIP6Driver.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=SetupTCPIP6Driver.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7fff71ba46f8,0x7fff71ba4708,0x7fff71ba4718
      4⤵
      PID:3248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14040009857514220738,9875189291478875220,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:2056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,14040009857514220738,9875189291478875220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
      4⤵
      PID:2224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,14040009857514220738,9875189291478875220,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
      4⤵
      PID:4544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14040009857514220738,9875189291478875220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
      4⤵
      PID:3508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14040009857514220738,9875189291478875220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
      4⤵
      PID:756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14040009857514220738,9875189291478875220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
      4⤵
      PID:2604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14040009857514220738,9875189291478875220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
      4⤵
      PID:2500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14040009857514220738,9875189291478875220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
      4⤵
      PID:3712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14040009857514220738,9875189291478875220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
      4⤵
      PID:5248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14040009857514220738,9875189291478875220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
      4⤵
      PID:5256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14040009857514220738,9875189291478875220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
      4⤵
      PID:5760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14040009857514220738,9875189291478875220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
      4⤵
      PID:5768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14040009857514220738,9875189291478875220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
      4⤵
      PID:4280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14040009857514220738,9875189291478875220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:1
      4⤵
      PID:5408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=SetupTCPIP6Driver.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:5148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff71ba46f8,0x7fff71ba4708,0x7fff71ba4718
      4⤵
      PID:5164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SetupTcpipDriver.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\SetupTcpipDriver.exe
  "C:\Windows\System32\SetupTcpipDriver.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Runs regedit.exe
    PID:3264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4164

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:720

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4656

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6456
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck63544
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1524
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6904
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:7092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
e50a161000b91cf9fd05938dd66a133c

SHA1
ae954129d4769d4e56a72f0a26f4b0c737126498

SHA256
c243ef5d52d76e32cd22cd01706d041578ebdd31732227babdb8d5feca263019

SHA512
be245b3a47b789275d7c501f079dec6f4486c377790e2538e354c955a469d73e1447d182aed4ec0c10aaeb5cb55618931595e89662d19c449fa78ec875d974bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
f3516c093dd24a36c6fd39b226d52b14

SHA1
e4fbd18cfd6e99a9e7f23269e49d114042d8b1ab

SHA256
5d01a2e3857878f985ddeceeba1fddbda79822e981bfa9ccd505efbeead38b73

SHA512
748b68fab2e4d232fa5648dd922c52d11a090514954bab34685d290944400e4311459d3a71abb6a301b59701eaea3b135a8f11aa20c2eb38da9e660a3c22564c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fdd1f7ab0e10326fc4bc8fb4e840570b

SHA1
8711c922b47f5cba9c6d89883b8214df65657240

SHA256
8d62b3db7fa0040d73df6f182d78e01d3ff00c87efb6a207aaa3d366b06dafa7

SHA512
969b8816b5b1cc5303307275d7b7c262e64a77685be15fd9cde4e0535ba9f4baea55be6634f0e8da542e0e852eec442205087d3806b169ee97bfaf52ff4a85fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
460f0975f63fb7e96bb888a8f2f96dbd

SHA1
ce9127b33b39f5f100aeda9b0146d1b716da7b20

SHA256
7ce2038f672bad3be34a2aa4e4f8b4b5fe402ccb09b2406dca0f64451dc31832

SHA512
c7c56df388b7215ad3bedb056a4a3f7db38e707a6a71abb73d5605262e3218d7de2547463e1b141d1cca6f975ae1a198004bea59af654179a0d227329c593647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b5ea367ef4cac2da5ee5e679755f74ce

SHA1
2296c9eab896413b3206502a84eb8af7f2a12861

SHA256
8aeb81709d32991d625b7dd4a51ba78425df5689afbee91483e1ab21b341cc56

SHA512
3d58b4f1e82ded466394d5f10e7d4a56d855f004b51eaf5746ea8253450ccce88b671167bf17d6ca32bca72498f49d6f0bdb4ffcad85f155382bc10b4cd2ce1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
367B

MD5
40253e39cdfcfb048e561d0259257e2e

SHA1
4e50a3f1d66e039b52e4b834a1ca098e5232a359

SHA256
e41b69991811ce13cc074bb9a9ca867a118959daa88263d20a5ac7fd807df7b1

SHA512
c5db0ec9959009ef01a5e94daa8b683849d6a4dd2b9cb23206bd5f5dadc3b5a4bd012e1ca1aff2aefe9cfcf2dfbd2ef9b1a28bcd52ee7545f4a3475e52404a28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b88d.TMP

Filesize
371B

MD5
71159186c21ca13d2f23d7ddf4568746

SHA1
7127a8278830f1fceaf9fdbdae5291ccecd1f1cb

SHA256
7cfe21317d7aca2f62bd1ee8c8cfede89bd54fb83b5e10db5d6c991d9045d344

SHA512
56a431301c5ad7978da2f993dd7ec904dff5341534917b186645561ed0b1af78b0d4a02b86ca0bb7794b29f6726b20c601f13908625e82a2c49ee6322b427495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b63c65838fb4e162d942b3c23757bb6d

SHA1
35bb64d38a58fdef1ed6d2f90b36302b192cb4ae

SHA256
70f172727695de78bb17366b8588620b35f681af146f7fdbe3331a9c35526bbe

SHA512
4b39b11663876bcc375f17d1f8d21c600c3d4b7f96c49a11375792449be2895bb9d1be7bd249f54c224f5599d9dc5a87960bd4b82da59d41b63f2da3f432bc6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8420074dba4134dc6bc51c50d1e171a0

SHA1
813842a8181c9e6353bca067e27eb1fb62704565

SHA256
857b1a096e76514299354a2cb415bd84f2db5ba6aefd54abe133b3b976e6337d

SHA512
67ed57a8e1a84fe47ffbc47341c0b9dbb11d03343dc3cbca0232442790c88ba2bdbbeaf03c21d8b08561f7ca4a484cfaaa5bd16cef9f77c60ac3a57b509a8086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9451a6b9669d49bd90704dff21beb85

SHA1
5f93d2dec01a31e04fc90c28eb1c5ca62c6fff80

SHA256
b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056

SHA512
06634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c1b0a9f26c3e1786191e94e419f1fbf9

SHA1
7f3492f4ec2d93e164f43fe2606b53edcffd8926

SHA256
796649641966f606d7217bb94c5c0a6194eef518815dacc86feacdd78d3c1113

SHA512
fa0290d77372c26a2f14cb9b0002c222bc757ce7ad02516b884c59a1108f42eb4c76884f9edb6c7149f7c3fac917eda99b72a3b1d72b7e118a1d5a73cadd15a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.exe

Filesize
7.4MB

MD5
ee325baaefbb16df6ec2548263ecc593

SHA1
77c7300915e170ab957ff9da1b2548ecc4b3f370

SHA256
7aded08a46fefe5fefe1a90cf2e7fe64e69705892b961bea68774067e412f3bf

SHA512
dee3ec5777a7db65a7fff207a5543a5360d066e1f030c103d28296711a360a2d93c1ca69aaef4a05dbd5c432f9f95f9003ba3a8a327918e0f1b05d456d3381eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Filesize
8.4MB

MD5
ac64e3cd7e18f772f2344bddc91bf8c5

SHA1
97cd0e490bafcb3dc1655584b9d9b4b135c3fed3

SHA256
b0842175bbf5191df471da4555e6688f38baa383dc1da196e51ed47a1432e3d4

SHA512
9b499eae8c6ff6269d929ad78fa0ce151ed32f0f64a2b4d7f0606b19486b78c6d0b8471e8368373ce5dc4a905b04d349894e042f3e559be7520445e5ebc37a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Filesize
2.6MB

MD5
aa77195228b336219f175dd20a820b4f

SHA1
3b29f0224fb4ee2fe4f1f7793b2837b2b2e50317

SHA256
864d204d1c9e33f9e3a02634ad7e8128cef42f6bdf47fa4c360a5514c5fe60a6

SHA512
97d8590b1b79b66616833de2ce1536301138d1184cc35f0b262adac22cd18c267894ab8282bec0c85bf47f63ee0dd13166ae124e383f85e8a81f4f9b5f07a705

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe

Filesize
84KB

MD5
9095c3e7ce04dd48e72178ebee7cd5c1

SHA1
bb21d1cb98b0ebfde2be9079c18152b340b26418

SHA256
9a212f20a8b74e3a0662ace826537cff60bd30a20cdb2b4dd43b8c69e5770bc1

SHA512
d01706a02e6de418bbacf2a0bd26c4706a66531934fdcdbd582df7403427293b7fe565ccfee7d941d30ec293bf09309c86fb52e2af7908d26f33fcb296f99c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe

Filesize
64KB

MD5
02a5d46ee61587fe90ef8f235e10c93a

SHA1
3ad674501ee265762cb2d633122347819e1e4561

SHA256
32fbfae8cb61f008bb15a0ba7293b8a27347ea61442fb6e8683eacb6444fe057

SHA512
fe8f5a6b2cb46e25b16ed01499b50592efde6c14780933a3f2a022b2e41e4b419b4ac61cc5805d693586107eda8447332a50ea5dd9995617efd110185db5f52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe

Filesize
2.6MB

MD5
47ac74209ff57daa51778e4d0218746b

SHA1
80cc0ef44f637295c9ee2a007ffef822a4430cec

SHA256
8f321c0745fe134ef3871769456f1716043984c174df8b5c23ac9311215b51dc

SHA512
7c6973501b33733de3bbb33e624af1ad2eb013e92a173be26848226c5c89cc2e6e49dfde22819b1f5ba50d6e522765aec98ad417135bbb61d6219717b53657be

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe

Filesize
512KB

MD5
33534707e410c24964a051c25b97d433

SHA1
1aa59932c5051d703399421988b7f022cd452e77

SHA256
2685eee50a06c84de4ae57f96df198b28792edd5057225e7aaa2c14999bef40c

SHA512
0d688b0c3db9ef8c4cd12333be8e4808a148038f05f445770baed9f0ab568e97e949e8470019f005cdf7f4b3e10fdf9faa4d372b046498f29a0a98a79844e8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Filesize
2KB

MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mv2wczxu.acp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut7F32.tmp

Filesize
2.1MB

MD5
e16f10c9e23047c5dcdf571997609fb4

SHA1
569ec2317ac40dce1bdcaccfd6b3b12fb33f824b

SHA256
9e0af209a58212b17ab9998fbcc8021f8557d76220499d5a6a3a40254a68c0ad

SHA512
c4b50a6bd07961e516bfe98e14caf212e8538b823d4b0735be2af41d38abaef1940afdccba820764d9fe7611308844b28191c212981457bc3259f30a7fce084f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe

Filesize
72KB

MD5
2c7d37e90dd8ab57d06dad5bc7956885

SHA1
da789c107c4c68b8250b6589e45e5a3cf7a9a143

SHA256
5ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939

SHA512
e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
3.6MB

MD5
2319bedc984fb650ac70f3dc04540729

SHA1
b190fc72ba3c4b4213d567a9872f976693ca4198

SHA256
f07780e021bac027086f776584754db70d258fcc2702dd8b804099b916194de3

SHA512
43779e01de0acb440e4027bb59e8d8b300472c6286a27308bbfc39a89929cba31160d021c357d6641ef4cd7adb364bd3a5065395b375e9841b734c23d863feb6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
4.1MB

MD5
f06be492e3beca08a2120eca9e8d22d5

SHA1
5d2333d9078964e3bbb7313ada47dfdb318f7dc2

SHA256
46755df4718e9942f32093c82ec44dfb2014becc193529cb9e3a93d7edd63daa

SHA512
877ace9236a512c8d01d7d091037517dd20899d9afca900e9d35766294cfa72faf21d50994302a73b672b43a145088d80d6a4026d70e9df9252a8148e38ea361

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
485KB

MD5
6042a3a9ae3157dd80ac927392805c99

SHA1
cbe6487694901d340f42fcf658c33191bd5fb527

SHA256
2382abd448ceaf582c00c485fddf546dfb7425fa1458c057714b64575f473e91

SHA512
0d29070736a724c9f9a36285c9cbbfd7c826fdb7430d18a22aed395e306be5d7f583b17b9ed4eb950c5a9826c7715da7d887e4ae75d487030d168abac7b08f56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
1.9MB

MD5
522919d48730610eede347e49dc9e965

SHA1
6300cfee4c086796ec171f14460025217c4e54fc

SHA256
4067f83dbef6d574212b9dbadcbc8cf1524c6d3f623cf4e0c383efd33d544dee

SHA512
bc7b3940a7eb810a62fee3969b506c824d9e9ae3806d9b98c1d95947d378c89c3bd538fc37f9505da7d2e9ebf4bda8e93da58bea9bc52a87fd9a845531b74339

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
8KB

MD5
681292d2adc851417b3177208d392e7a

SHA1
279327483147cb7e0a5c60c3f9366e7192a219bf

SHA256
d7a55db2f366c7f072b638407a4482af886dfefb7e0fdd5a017b072aae63ce5f

SHA512
a15151efe535c9a8fe06a4b41e54ae94ad05b0a4de851484d3d53dccd149ab66555a1e9359adc599306f18701af0739f402a10a3f14a0865e26b6c839e06a3f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Filesize
1.7MB

MD5
28fd3ab9f450eaf99dd2378d252148d1

SHA1
458b23d7684a0bd99dabb8a1a9e7c9f486fc7dd3

SHA256
1df176d9ce08e0c169ee5a5dd636ca9abecf6a8b2754883d6dc0436d78572cbc

SHA512
58b4e9041ca4143a0d134b9cc80002e2d1abb5429d7f0efe09731707b7f7669094bdfb0dbea6766a01cc856f5e18e38cce72068e6914f93cca411906ae97000c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
8310dd58820b7fcdfb4dcdf3a48cc9fa

SHA1
6b58d67d00ef1754a342e9f0898d82411af23747

SHA256
00819c0502c8fcd0cc928fdfbef949d469aaddc7243af2b8e8a3a0e32b75ecc3

SHA512
2b37c1d24bd6ad0b99ff166848fb104988fc1fb4ef1708ff749920bd587179c907f816678297a025312ece86aed906724ee15a0a37d4462d40deecfa175983f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
9.4MB

MD5
f6eec9fd0a4ac080c66ef08b01f56142

SHA1
af5299d59216d82c0b586bd0f56105454c1b5d78

SHA256
93cfa06fdfac702177bc6e2f32099b5f00bcb5c89cf123aec94541b72949cc01

SHA512
1810aa5fad9d28c00a867f71e00dcfdabdc4ebc36818c74444267ea111e481a1dd76d171b1ae71b974686e416ee736959ed8854698c598265b927dca1fdc9587

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig

Filesize
201B

MD5
b9d2fe9cfa840518fa39039c928d4938

SHA1
0561516b7cfa784cf400349983817c8b18817256

SHA256
69d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776

SHA512
894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
1.8MB

MD5
88ee0be09c897dd757951df12587bb6d

SHA1
ea874d1980e650a31f5f5bf6df1e113a3f0910d8

SHA256
1c4304ddb211939ee26346c4661e66d6def1d462a236d8567d5cdc40deb88dd8

SHA512
5882bafa519d51fc97ad39a23ece991d9b43cd2641f76689214b82c9a7c78ee7b7c9266ff9c2c682d2f9a9c45bf67e4890cb69f29ecf74053ba4e6c246006948

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
835KB

MD5
546c8f70587a29f629f61fca562a287a

SHA1
deaf87570b9385e3a0ba1425402ab600e3a43340

SHA256
25a67b380437d35de49d75b4af662c81ccd36d156b67582a7f0dfdffcafb804f

SHA512
78ca1735d1d6621e42283f1936c3fb87901cce2e181919aa6c347090e864879d61f9141437fd5d5c6291e3f23c387595899376d04c3c82979408ddec0be8080c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
918KB

MD5
06929dc54a328b91464a0f42d1910a2c

SHA1
b7c1b4cfb426d2fa3e3da08e4b9234bb0d36f4b6

SHA256
c39ec5defd499fcebaec2707f0c0dd70de229af9ac60138d99c7cbb1c0a9763a

SHA512
023d98d14ec5d3e222adc6527300877c1b2ea02d8b69d1d4ddc67add7b6270eadde2ab9b6885c81f2f7a5a14254e87bed9cea0693b3358afb3e121b7e1f5df3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
974KB

MD5
be51ba4bea2d731dacf974c43941e457

SHA1
51fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621

SHA256
98d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747

SHA512
6184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dll

Filesize
965KB

MD5
7847c7b13b3414e8e7652880b4609205

SHA1
930670acc16157f56aaf69423e5d7705441764ba

SHA256
38200438cf0c9c20d17e5b9030d2ad2e4a1b6b9dc41c287bc603dd50d22e67bb

SHA512
c3c81dc3eb546c40b3606338deadbd63331659645dd24b5fd0d4fb3170b053fef528ee3fe005c9446176a5c049e9412ea8193ad2f8b9a7301ff67b088f1bbb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dll

Filesize
927KB

MD5
b9825c41f79b7d196ceb700f2d17d8ad

SHA1
680615e8a703ae5232d773c66dca83da731325cb

SHA256
c449aef8ff6bde0644ba643121661c3257716aa81980869d0d110da017e2b32d

SHA512
068c9e3b01e0b2947fa18ab9d90216e1a8faf3f591d22790088bdc62a6d1065b6a603ae571d3ff2ea272aa7f0a40ff41abb45b4db244146eac6de7d62e0e8862

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Filesize
313KB

MD5
97d89dec5f6a236b6832a5f3f43ab625

SHA1
18f2696a3bf4d19cac3b677d58ff5e51bf54b9e8

SHA256
c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead

SHA512
7e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Filesize
608KB

MD5
624304f2ba253b33c265ff2738a10eb9

SHA1
5a337e49dd07f0b6f7fc6341755dc9a298e8b220

SHA256
27b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f

SHA512
163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
918KB

MD5
159aab580cf50bb6b99f6ab62e89a95a

SHA1
fb47c18007b5bb805c22a393478d1ff3e9cf0726

SHA256
0463496f64702aca7bab52d550d493e0eee29858a71cf78fff6eca0acabd25f3

SHA512
943733973451a56b8e25b7370c296d1161e0c23f45ca0c19d8966a5c460ad445e3f0c425407b8d5c8d69605a4a816fce49ad551595e7ff2924d5c2b8d4385315

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
1.2MB

MD5
f7c8489132da84ae36da3810921507f9

SHA1
5091b80304387126b9bd75ee9ab09a629c93e220

SHA256
d0969ce1ac40f8660dbfe93975176e040ba05f6ba7bbd72bf3501aa70353b3d7

SHA512
85a7e293fc21c96ae9b2d634baf7e462a1e62b0940ed79319702ad25c13653e8fde356832ab680702ce42396b1c9f669a21c0e9572d9f27810bc5bb0a286014b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Filesize
107KB

MD5
d490b6c224e332a706dd3cd210f32aa8

SHA1
1f0769e1fffddac3d14eb79f16508cb6cc272347

SHA256
da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557

SHA512
43ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3

Download Submit
C:\Windows\System32\SetupTCPIP6Driver.exe

Filesize
8KB

MD5
488bfa6d9fd5c874585daa3f960e6804

SHA1
aa8ca3927c318716e14210fc0a3ed70ea483eb23

SHA256
a84bfef2ce112366349e3ce8c70e120ec63731535696b405a458e5ccfcdf7f48

SHA512
952db3ec6548421b8c013c1482545e005c7526f0c4f432b12bde8460a13c88d0f1022cfe3008af88bb043d9fdede9e341bcc406d7d2fc8370249da75642a07a1

Download Submit
C:\Windows\System32\SetupTcpipDriver.exe

Filesize
28KB

MD5
2fbe46325e890bee1e21aba30c9345be

SHA1
2c860d226f6b8f59caa058e39d06d6ae24007227

SHA256
cfbd108945d203a6a5ced2dc4eee0084ba66972c1361c05b6b7065276f15eb4b

SHA512
133e2c1a9bad1b7a9c7e519c6132a4494af5a0233c47ee3eecae263f72bce8345356f032bbbcdefc934776020b210327f18a52b72138006808975f8bad2ebc34

Download Submit
\??\pipe\LOCAL\crashpad_2400_RTJNXWUPTNANAETT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/64-138-0x000000001E100000-0x000000001E110000-memory.dmp

Filesize
64KB

Download
memory/64-2-0x000000001E100000-0x000000001E110000-memory.dmp

Filesize
64KB

Download
memory/64-133-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/64-196-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/64-0-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/64-1-0x00000000003C0000-0x000000000136E000-memory.dmp

Filesize
15.7MB

Download
memory/396-195-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/396-217-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/396-194-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/1064-153-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/1064-139-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/1064-140-0x000001EEE4630000-0x000001EEE4640000-memory.dmp

Filesize
64KB

Download
memory/1064-141-0x000001EEE4630000-0x000001EEE4640000-memory.dmp

Filesize
64KB

Download
memory/2088-180-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/2088-165-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/2088-166-0x000001CF8A6F0000-0x000001CF8A700000-memory.dmp

Filesize
64KB

Download
memory/2088-167-0x000001CF8A6F0000-0x000001CF8A700000-memory.dmp

Filesize
64KB

Download
memory/2468-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2768-72-0x0000023D10400000-0x0000023D10410000-memory.dmp

Filesize
64KB

Download
memory/2768-107-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/2768-71-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/3068-293-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/3068-255-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/3068-137-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/3068-127-0x0000000000F80000-0x0000000000F9C000-memory.dmp

Filesize
112KB

Download
memory/3216-226-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/3216-228-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/3248-135-0x000002381E7C0000-0x000002381E7D0000-memory.dmp

Filesize
64KB

Download
memory/3248-102-0x000002381E530000-0x000002381F530000-memory.dmp

Filesize
16.0MB

Download
memory/3248-129-0x000002381E530000-0x000002381F530000-memory.dmp

Filesize
16.0MB

Download
memory/3248-134-0x000002381E820000-0x000002381E830000-memory.dmp

Filesize
64KB

Download
memory/3248-124-0x000002381E530000-0x000002381F530000-memory.dmp

Filesize
16.0MB

Download
memory/3248-110-0x000002381E530000-0x000002381F530000-memory.dmp

Filesize
16.0MB

Download
memory/3248-47-0x000002381E530000-0x000002381F530000-memory.dmp

Filesize
16.0MB

Download
memory/3248-68-0x000002381CC70000-0x000002381CC71000-memory.dmp

Filesize
4KB

Download
memory/3248-281-0x000002381E530000-0x000002381F530000-memory.dmp

Filesize
16.0MB

Download
memory/3248-132-0x000002381E810000-0x000002381E820000-memory.dmp

Filesize
64KB

Download
memory/3248-136-0x000002381E530000-0x000002381F530000-memory.dmp

Filesize
16.0MB

Download
memory/3248-95-0x000002381E530000-0x000002381F530000-memory.dmp

Filesize
16.0MB

Download
memory/3248-100-0x000002381CC70000-0x000002381CC71000-memory.dmp

Filesize
4KB

Download
memory/3264-353-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/3264-210-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/4568-14-0x00000185E79D0000-0x00000185E79E0000-memory.dmp

Filesize
64KB

Download
memory/4568-15-0x00000185E79D0000-0x00000185E79E0000-memory.dmp

Filesize
64KB

Download
memory/4568-13-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/4568-8-0x00000185E94E0000-0x00000185E9502000-memory.dmp

Filesize
136KB

Download
memory/4568-18-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/5052-30-0x000001EC6C710000-0x000001EC6C720000-memory.dmp

Filesize
64KB

Download
memory/5052-29-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/5052-46-0x00007FFF76170000-0x00007FFF76C31000-memory.dmp

Filesize
10.8MB

Download
memory/5052-31-0x000001EC6C710000-0x000001EC6C720000-memory.dmp

Filesize
64KB

Download
memory/6904-393-0x000001EBAED50000-0x000001EBAEE73000-memory.dmp

Filesize
1.1MB

Download
memory/6904-416-0x000001EBAED50000-0x000001EBAEE73000-memory.dmp

Filesize
1.1MB

Download
memory/6904-395-0x000001EBAED50000-0x000001EBAEE73000-memory.dmp

Filesize
1.1MB

Download
memory/6904-390-0x000001EBAED50000-0x000001EBAEE73000-memory.dmp

Filesize
1.1MB

Download
memory/7092-474-0x0000000071750000-0x00000000717A4000-memory.dmp

Filesize
336KB

Download
memory/7092-476-0x00000000715C0000-0x0000000071658000-memory.dmp

Filesize
608KB

Download
memory/7092-477-0x00000000712D0000-0x00000000715BD000-memory.dmp

Filesize
2.9MB

Download
memory/7092-478-0x00000000711F0000-0x00000000712C3000-memory.dmp

Filesize
844KB

Download
memory/7092-479-0x00000000711C0000-0x00000000711E3000-memory.dmp

Filesize
140KB

Download
memory/7092-475-0x0000000071660000-0x0000000071743000-memory.dmp

Filesize
908KB

Download
memory/7092-473-0x00000000002D0000-0x0000000000731000-memory.dmp

Filesize
4.4MB

Download
memory/7092-917-0x00000000002D0000-0x0000000000731000-memory.dmp

Filesize
4.4MB

Download