phemedrone | de08c69d06b2f176058aa6001b9f9195ef9599f1f79b783e21762046258583d3

Resubmissions

04/03/2024, 05:33

240304-f84jnsca52 10

04/03/2024, 04:18

240304-exd9zahe9z 10

Analysis

max time kernel
458s
max time network
558s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/03/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcrat/DCRat.exe
Size

15.7MB
MD5

f0c212a5f3cb30f35c1022ca2e172310
SHA1

89314ac31d667f81f603b3dab508dda12febb126
SHA256

6a465d867459eb8b26608afa566973ad424afb0b12d3e266706e8c42da3c6908
SHA512

15b562bae7c8977366f46ea71c1bf72d99da77904561e99a10bbc6ad88b3b8bd1e811712ca69410b98f9e492ffe4205bc4782a22304a6f0d73cd2d90a334c90f
SSDEEP

393216:q/HI7rq9dB4FTqNEkS2DZVBcZn0uDLpBjp2NkM5:qwCrBJlSCcZ0iNGz5

Score

10^/10

phemedrone spyware stealer

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe	SetupTcpipDriver.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe	SetupTcpipDriver.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe	regedit.exe

Executes dropped EXE 33 IoCs

pid	Process
2528	DCRatLauncher.exe
2980	SetupUDPDriver.exe
2764	Hyfatok.exe
436	SetupTCPIP6Driver.exe
2328	SetupTcpipDriver.exe
1624	CL_Debug_Log.txt
764	regedit.exe
2112	Helper.exe
1648	Helper.exe
2000	Helper.exe
2432	Helper.exe
2124	tor.exe
2012	Helper.exe
2796	Helper.exe
2804	Helper.exe
1424	Helper.exe
2576	Helper.exe
2664	Helper.exe
1820	Helper.exe
2484	Process not Found
992	Process not Found
2672	Process not Found
2140	Process not Found
2944	Process not Found
1716	Process not Found
2288	Process not Found
2976	Process not Found
1536	Process not Found
1248	Process not Found
908	Process not Found
2880	Process not Found
2936	Process not Found
1144	Process not Found

Loads dropped DLL 13 IoCs

pid	Process
2980	SetupUDPDriver.exe
1332	taskeng.exe
1332	taskeng.exe
2744	Process not Found
2000	Helper.exe
2000	Helper.exe
2124	tor.exe
2124	tor.exe
2124	tor.exe
2124	tor.exe
2124	tor.exe
2124	tor.exe
2672	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral3/files/0x000c00000001225e-43.dat	autoit_exe
behavioral3/files/0x000c00000001225e-42.dat	autoit_exe
behavioral3/files/0x000c00000001225e-44.dat	autoit_exe
behavioral3/files/0x000400000001d98a-177.dat	autoit_exe
behavioral3/files/0x000400000001d988-194.dat	autoit_exe
behavioral3/files/0x000400000001d994-1229.dat	autoit_exe
behavioral3/files/0x000400000001d994-1231.dat	autoit_exe
behavioral3/files/0x000400000001d994-1232.dat	autoit_exe
behavioral3/files/0x000400000001d994-1234.dat	autoit_exe
behavioral3/files/0x000400000001d994-1233.dat	autoit_exe
behavioral3/files/0x000400000001d994-1236.dat	autoit_exe
behavioral3/files/0x000400000001d994-1242.dat	autoit_exe
behavioral3/files/0x000400000001d994-1243.dat	autoit_exe
behavioral3/files/0x000400000001d994-1764.dat	autoit_exe
behavioral3/files/0x000400000001d994-1889.dat	autoit_exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SetupTCPIP6Driver.exe	DCRat.exe
File created	C:\Windows\System32\SetupTcpipDriver.exe	DCRat.exe
File opened for modification	C:\Windows\System32\SetupTcpipDriver.exe	DCRat.exe
File opened for modification	C:\Windows\System32\SetupTcpipDriver.exe	SetupTcpipDriver.exe
File created	C:\Windows\System32\SetupTCPIP6Driver.exe	DCRat.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 2432	2000	Helper.exe	195
PID 2000 set thread context of 2880	2000	Helper.exe	2399
PID 2000 set thread context of 1792	2000	Helper.exe	2414

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2144	schtasks.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2796	timeout.exe
2624	timeout.exe
680	Process not Found
2896	Process not Found
2076	Process not Found
2104	timeout.exe
2420	timeout.exe
2780	timeout.exe
2152	timeout.exe
2184	Process not Found
2400	Process not Found
320	Process not Found
2328	Process not Found
2072	timeout.exe
2036	timeout.exe
2624	timeout.exe
2796	timeout.exe
2296	Process not Found
1640	Process not Found
1680	timeout.exe
2452	timeout.exe
936	timeout.exe
1040	timeout.exe
2720	Process not Found
2936	Process not Found
1116	timeout.exe
2492	timeout.exe
2280	timeout.exe
1144	Process not Found
2804	Process not Found
1900	Process not Found
2748	timeout.exe
2104	timeout.exe
2520	Process not Found
1052	Process not Found
908	Process not Found
2184	timeout.exe
2312	Process not Found
2668	timeout.exe
1092	timeout.exe
2528	timeout.exe
1828	timeout.exe
2724	Process not Found
1624	timeout.exe
2892	Process not Found
1048	Process not Found
436	Process not Found
544	timeout.exe
1088	Process not Found
1200	Process not Found
1092	Process not Found
1416	Process not Found
2112	Process not Found
2952	Process not Found
1820	Process not Found
2408	Process not Found
2940	Process not Found
2388	timeout.exe
1680	timeout.exe
1956	timeout.exe
1892	timeout.exe
948	timeout.exe
1096	Process not Found
2024	timeout.exe

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{00A0A741-D9E9-11EE-B7CB-E61A8C993A67} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000dad939396e5c6966bf1ce6a9640b6e49c903e36f5e0ef052d8a68175d4454d86000000000e800000000200002000000042c735dc3769128998a56eff3b41bd581db56e34c0dc2bbccc086f33b66ad34d20000000ad21780decf42adb9523e561cd8ae34b496a3a613387f9b4d95ed42f6fd57fd6400000000bede64c9dbf7642d989fa54ffe6531512f9970b382fd75cd5ec69da5498857eac2def6333f4f3cc9aa97a1efb4dbabd99b95e97f3b41502a5aa14c43456675b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000d206570867cc8ee7387a35ff7cdd90aa6c58fa534901b9aad98dafa7c61da3f1000000000e8000000002000020000000ea01464b019e4c36b499d7f9b3971059b6eeea87aa6f9917f5d6cb9569b6a00140010000c84c674a4695c7fd268b019554dda1bc90875a18f948bf545015a85296d9364bbd0c8aecd66915d7ef16236b07c09302d41142a404f92674fd740b3f626e85ff5a7605c55233cea4f15671cd3f20e5deb7872ef22ab000a0e6b25a0c047aeca9c9db0b4976ecb4fc35051c1fddbafe98e95b5dedfc211042c12101d52d94fa2a04d6ae6031035de233057ae01f9a860aee8e2a1326f3f6ae6726a9da9fd561d05ebb2c3276fa5e56cced1352f08a59862d7afd1243d9dbbff2bee89055f9db4215126db12f1be4e8ab650fe5731342c7f42aeb5af29c4abdc02a5f1889c2ba93bd47eedf47cfdd600f9c9d1b4054e8e631c4b73045c69d1fc7e02473feeaf8fc748f81a1ee8fc0074dbac32119fdc3fb87f2bd4f8cdb06813721fb35499048f73a6febf9a0ffa3374244c244bbee74d4cf37f4480264abc39aeb167f73fcc30140000000ebaef11057eeaf8a877499d2042214dac7b2ddf508c8aca1050279bdeb39355e01e33e85e7e19d3b1e7e6dc25ba99bfcc40a17400bb285404bfd867f03e05e88	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415692394"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "276"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80a4d2cdf56dda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "229"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "276"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\dcrat\winmgmts:\HSNHLVYA\root\CIMV2	SetupUDPDriver.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\root\cimv2	Helper.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\HSNHLVYA\root\CIMV2	Helper.exe

Runs regedit.exe 1 IoCs

pid	Process
764	regedit.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	102	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2220	DCRat.exe
2220	DCRat.exe
2220	DCRat.exe
3040	powershell.exe
2436	powershell.exe
1760	powershell.exe
860	powershell.exe
2764	Hyfatok.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	DCRat.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	2764	Hyfatok.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeRestorePrivilege	1624	CL_Debug_Log.txt
Token: 35	1624	CL_Debug_Log.txt
Token: SeSecurityPrivilege	1624	CL_Debug_Log.txt
Token: SeSecurityPrivilege	1624	CL_Debug_Log.txt
Token: SeRestorePrivilege	2432	Helper.exe
Token: 35	2432	Helper.exe
Token: SeSecurityPrivilege	2432	Helper.exe
Token: SeSecurityPrivilege	2432	Helper.exe
Token: SeRestorePrivilege	2880	Process not Found
Token: 35	2880	Process not Found
Token: SeSecurityPrivilege	2880	Process not Found
Token: SeSecurityPrivilege	2880	Process not Found
Token: SeLockMemoryPrivilege	1792	Process not Found
Token: SeLockMemoryPrivilege	1792	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
1576	iexplore.exe
2112	Helper.exe
2112	Helper.exe
2112	Helper.exe
1648	Helper.exe
1648	Helper.exe
1648	Helper.exe
2000	Helper.exe
2000	Helper.exe
2000	Helper.exe
2012	Helper.exe
2012	Helper.exe
2012	Helper.exe
2796	Helper.exe
2796	Helper.exe
2796	Helper.exe
2804	Helper.exe
2804	Helper.exe
2804	Helper.exe
1424	Helper.exe
1424	Helper.exe
1424	Helper.exe
2576	Helper.exe
2576	Helper.exe
2576	Helper.exe
2664	Helper.exe
2664	Helper.exe
2664	Helper.exe
1820	Helper.exe
1820	Helper.exe
1820	Helper.exe
2484	Process not Found
2484	Process not Found
2484	Process not Found
992	Process not Found
992	Process not Found
992	Process not Found
2672	Process not Found
2672	Process not Found
2672	Process not Found
2140	Process not Found
2140	Process not Found
2140	Process not Found
2944	Process not Found
2944	Process not Found
2944	Process not Found
1716	Process not Found
1716	Process not Found
1716	Process not Found
2288	Process not Found
2288	Process not Found
2288	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
1536	Process not Found
1536	Process not Found
1536	Process not Found
908	Process not Found
908	Process not Found
908	Process not Found

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2980	SetupUDPDriver.exe
2112	Helper.exe
2112	Helper.exe
2112	Helper.exe
1648	Helper.exe
1648	Helper.exe
1648	Helper.exe
2000	Helper.exe
2000	Helper.exe
2000	Helper.exe
2012	Helper.exe
2012	Helper.exe
2012	Helper.exe
2796	Helper.exe
2796	Helper.exe
2796	Helper.exe
2804	Helper.exe
2804	Helper.exe
2804	Helper.exe
1424	Helper.exe
1424	Helper.exe
1424	Helper.exe
2576	Helper.exe
2576	Helper.exe
2576	Helper.exe
2664	Helper.exe
2664	Helper.exe
2664	Helper.exe
1820	Helper.exe
1820	Helper.exe
1820	Helper.exe
2484	Process not Found
2484	Process not Found
2484	Process not Found
992	Process not Found
992	Process not Found
992	Process not Found
2672	Process not Found
2672	Process not Found
2672	Process not Found
2140	Process not Found
2140	Process not Found
2140	Process not Found
2944	Process not Found
2944	Process not Found
2944	Process not Found
1716	Process not Found
1716	Process not Found
1716	Process not Found
2288	Process not Found
2288	Process not Found
2288	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
1536	Process not Found
1536	Process not Found
1536	Process not Found
908	Process not Found
908	Process not Found
908	Process not Found
1248	Process not Found

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1576	iexplore.exe
1576	iexplore.exe
1344	IEXPLORE.EXE
1344	IEXPLORE.EXE
584	IEXPLORE.EXE
584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 3040	2220	DCRat.exe	29
PID 2220 wrote to memory of 3040	2220	DCRat.exe	29
PID 2220 wrote to memory of 3040	2220	DCRat.exe	29
PID 2220 wrote to memory of 2528	2220	DCRat.exe	31
PID 2220 wrote to memory of 2528	2220	DCRat.exe	31
PID 2220 wrote to memory of 2528	2220	DCRat.exe	31
PID 2220 wrote to memory of 2528	2220	DCRat.exe	31
PID 2220 wrote to memory of 2528	2220	DCRat.exe	31
PID 2220 wrote to memory of 2528	2220	DCRat.exe	31
PID 2220 wrote to memory of 2528	2220	DCRat.exe	31
PID 2220 wrote to memory of 2436	2220	DCRat.exe	32
PID 2220 wrote to memory of 2436	2220	DCRat.exe	32
PID 2220 wrote to memory of 2436	2220	DCRat.exe	32
PID 2220 wrote to memory of 2980	2220	DCRat.exe	34
PID 2220 wrote to memory of 2980	2220	DCRat.exe	34
PID 2220 wrote to memory of 2980	2220	DCRat.exe	34
PID 2220 wrote to memory of 2980	2220	DCRat.exe	34
PID 2220 wrote to memory of 2980	2220	DCRat.exe	34
PID 2220 wrote to memory of 2980	2220	DCRat.exe	34
PID 2220 wrote to memory of 2980	2220	DCRat.exe	34
PID 2220 wrote to memory of 1760	2220	DCRat.exe	35
PID 2220 wrote to memory of 1760	2220	DCRat.exe	35
PID 2220 wrote to memory of 1760	2220	DCRat.exe	35
PID 2528 wrote to memory of 1576	2528	DCRatLauncher.exe	37
PID 2528 wrote to memory of 1576	2528	DCRatLauncher.exe	37
PID 2528 wrote to memory of 1576	2528	DCRatLauncher.exe	37
PID 2528 wrote to memory of 1576	2528	DCRatLauncher.exe	37
PID 2220 wrote to memory of 2764	2220	DCRat.exe	39
PID 2220 wrote to memory of 2764	2220	DCRat.exe	39
PID 2220 wrote to memory of 2764	2220	DCRat.exe	39
PID 2220 wrote to memory of 860	2220	DCRat.exe	40
PID 2220 wrote to memory of 860	2220	DCRat.exe	40
PID 2220 wrote to memory of 860	2220	DCRat.exe	40
PID 1576 wrote to memory of 1344	1576	iexplore.exe	42
PID 1576 wrote to memory of 1344	1576	iexplore.exe	42
PID 1576 wrote to memory of 1344	1576	iexplore.exe	42
PID 1576 wrote to memory of 1344	1576	iexplore.exe	42
PID 1576 wrote to memory of 1344	1576	iexplore.exe	42
PID 1576 wrote to memory of 1344	1576	iexplore.exe	42
PID 1576 wrote to memory of 1344	1576	iexplore.exe	42
PID 2220 wrote to memory of 436	2220	DCRat.exe	43
PID 2220 wrote to memory of 436	2220	DCRat.exe	43
PID 2220 wrote to memory of 436	2220	DCRat.exe	43
PID 2220 wrote to memory of 436	2220	DCRat.exe	43
PID 2220 wrote to memory of 436	2220	DCRat.exe	43
PID 2220 wrote to memory of 436	2220	DCRat.exe	43
PID 2220 wrote to memory of 436	2220	DCRat.exe	43
PID 2220 wrote to memory of 2132	2220	DCRat.exe	44
PID 2220 wrote to memory of 2132	2220	DCRat.exe	44
PID 2220 wrote to memory of 2132	2220	DCRat.exe	44
PID 2220 wrote to memory of 2328	2220	DCRat.exe	89
PID 2220 wrote to memory of 2328	2220	DCRat.exe	89
PID 2220 wrote to memory of 2328	2220	DCRat.exe	89
PID 2980 wrote to memory of 1624	2980	SetupUDPDriver.exe	48
PID 2980 wrote to memory of 1624	2980	SetupUDPDriver.exe	48
PID 2980 wrote to memory of 1624	2980	SetupUDPDriver.exe	48
PID 2980 wrote to memory of 1624	2980	SetupUDPDriver.exe	48
PID 2328 wrote to memory of 764	2328	SetupTcpipDriver.exe	50
PID 2328 wrote to memory of 764	2328	SetupTcpipDriver.exe	50
PID 2328 wrote to memory of 764	2328	SetupTcpipDriver.exe	50
PID 2980 wrote to memory of 2612	2980	SetupUDPDriver.exe	52
PID 2980 wrote to memory of 2612	2980	SetupUDPDriver.exe	52
PID 2980 wrote to memory of 2612	2980	SetupUDPDriver.exe	52
PID 2980 wrote to memory of 2612	2980	SetupUDPDriver.exe	52

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1792	Process not Found

C:\Users\Admin\AppData\Local\Temp\dcrat\DCRat.exe
"C:\Users\Admin\AppData\Local\Temp\dcrat\DCRat.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1576 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1344
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1576 CREDAT:2044931 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe
  "C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
    C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
    3⤵
    PID:2612
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      4⤵
      Creates scheduled task(s)
      PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\SETUPU~1.EXE"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\SETUPU~1.EXE" exit)
    3⤵
    PID:1664
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2316
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1888
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2768
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:692
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2148
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2576
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2148
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2340
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2108
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:772
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:432
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:668
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:112
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1680
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:868
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:320
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:864
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2980
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1792
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2124
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:692
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1208
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2388
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2508
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2536
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2564
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2316
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1156
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:604
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1792
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1076
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:988
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1888
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1264
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2072
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1668
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:772
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:112
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1680
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:668
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:568
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2740
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2980
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:692
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1208
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:904
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1076
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2336
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1116
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1264
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:568
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:112
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2104
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1264
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2668
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1252
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:864
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2452
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:328
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1208
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1116
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2336
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:988
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2200
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1200
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1704
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2148
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1324
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2508
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2660
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2564
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1668
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2964
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2108
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:940
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:932
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:804
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1252
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1488
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:320
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2676
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:304
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1116
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2200
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1028
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2564
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2964
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1040
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:772
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:804
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2420
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1252
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:736
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:320
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2676
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1156
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:112
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2316
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:520
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2748
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2980
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:304
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1092
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:904
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1076
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:692
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1208
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1116
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1008
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1200
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1028
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1324
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2660
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2564
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2964
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2576
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1892
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2528
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:772
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:932
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:804
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:332
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2168
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2312
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1956
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:320
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2316
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:544
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:304
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1224
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1200
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2112
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2964
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3012
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1892
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:932
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1828
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1252
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:736
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1432
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:864
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:668
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:604
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2332
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:328
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1792
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2980
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1224
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2280
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:644
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1212
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3000
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2964
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1448
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2136
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1488
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2312
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1432
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:668
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:604
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:520
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:948
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:568
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1224
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2780
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1704
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2152
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2768
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2112
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2148
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2024
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3000
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2964
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2104
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2184
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2480
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:804
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1488
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe
  "C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2764 -s 1732
    3⤵
    PID:1408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SetupTCPIP6Driver.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\System32\SetupTCPIP6Driver.exe
  "C:\Windows\System32\SetupTCPIP6Driver.exe"
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SetupTcpipDriver.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\SetupTcpipDriver.exe
  "C:\Windows\System32\SetupTcpipDriver.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Runs regedit.exe
    PID:764
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 764 -s 608
      4⤵
      PID:612

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2308

C:\Windows\system32\taskeng.exe
taskeng.exe {8B695250-AE8B-4A5F-8763-9D96834FC933} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:1332
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2112
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck63544
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - NTFS ADS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2000
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2432
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2124
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1648
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2012
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck63544
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2804
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2796
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck63544
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1424
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2576
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck63544
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1820
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
b5e23176f820e21f9525aafa1653b879

SHA1
dc8427c3e20be98b1277ef14c856260b23ce4837

SHA256
0f93628674895d4f9ec6832ac90750c5a9aa8aa6131f2e82124f914120b76b3c

SHA512
12bc6779e48db89862259324e5eda6ff25375e39380502d79986be9f65e55438fd28a31a267d1689a5ecf9a21298f25f22fa4559e90e4b88416718c355cd1a2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10d0bc8fe6bd7707dc5dc6ffc86e3566

SHA1
54681f01d73ad53d9d3a5bdd9be99598d17fe3fb

SHA256
40ea34d6814fd66ded8fb55ec1a62f956bcb9947c2625a6a227f5f4216b656f0

SHA512
7e0cc4a4d21bc8ae5d01af8f5caa77761f33ec41994441b8044b3fcbd3f4e5d28f9d4bd4826b98858e08eee015ae323466e832ade9c444d7e7e127ef9d146ce5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4376e246f9d49dc1ccf1f09606d76bda

SHA1
834c7dd87a0ff9923e46d6a579f62eb933e3f0a4

SHA256
217794fb0049bcba5bb9124a256384a7630abb54f9715826df2ed8698aa51210

SHA512
c80b32c69a4134295d98bd810d277cd328d194a12bd31bdeb5b389b7a8843e32b54a246f239003a59bf57f1f906c07fcd1980bd682bbe4d18b761c2f95abae25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
255a54e9c64ada97d573aa55328d1409

SHA1
3dadd5a0299c95189c6689401f61a45cf316c2c3

SHA256
2e73055d7153b09230308416a01700aee691afb415b4c4ae15642b419d3631ee

SHA512
96bce669fcbda24fadd57e8b14ef63cdc6925a3fafef99be6dec77e0056342fb8a55889aaf100d474134f82db12fef7995c7b8204ad1a6204300b819431438dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da5d39df6b8473bb2e01f2c902d41579

SHA1
b701a213a9c5e3990b6ffc6c45b812db7eae6f8b

SHA256
e83dec5980d10edd9afe5ac00aabea67c7b6945d7c21d7bb63e47215d83a8f1f

SHA512
f47c274424814cfaa8fa0b3034ccb73e69915009f34bf0b005fa577a3d27e0988f001694d554e748e61c3a2eb193a7eda94b53a4fc598cd75341dda8661c888a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c55f1ed195d08c9397c475c759606e2b

SHA1
80c4e7f84362f4d4acfeb1027ff4f0083c5e188a

SHA256
0ea1c13c90866e7fc6fbe411ba18f173a5b40e0412edee894db0aa4aef28ec6a

SHA512
cbacb6c5fed391e28dec2680832609501d01b4973b29c302281e287e7e86f7a6e29acebf5966a394dfb89723f6c0cf5cce095003129d3e375ad2e05d0718f088

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56266e2bc70251910a401dda978d7c43

SHA1
2eec2de630f6c1f2f2a4a4b502b058b160aeb0af

SHA256
d19e7bc74a1398d24552d795c8aaaa11f91426c1fbccc1f1e3be5371b4556a93

SHA512
5fe4216480ddeea2b9ed043e90419b536b051e85aa02d4c914016057cce9d8d38c4b52ab4c1b938e001b42c81f227745262b227671f4bd6a2e2bb85f79f5ea1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e37a291be40ffae67b556d8cb90bffa

SHA1
ff13476b56f8f59013e572240c1a7b127225b7c7

SHA256
093d819e9120bb78510f49b39133bb7649367a48b6420790f913a994aaafd1c4

SHA512
3a809308da42eebcc10a08027ed783071ab4d9aa8b6e1c59c7d1ca144cd8faa4849c6608aea566954635cd611aea79f219fa6c0b37fdcc6a33c40c5462e2a253

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d3a0e487e58d07e83dc987f9cba0db4

SHA1
88f4847b10673cd22778e66f8ff36f9bbd467e3d

SHA256
0abceb8ef40424e6ac0b237c9a544682ebc57fddbf3ba5b697a2410ac0510aa2

SHA512
10214647a55be25ff25ff9dea35963a12b036e364eb3391d742524888086f57d459170f541c5912e01059c693a313bab2081636590cefd36614ef01be75b18e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
104a7ab55bb02848830368d6be388803

SHA1
6b79e684e88c7f97abb96d9536d36403ea1e97ac

SHA256
a83d5d7c2158d88150f9420c1c8d4155d8fbc1e6fc75f1a04d13f15bf318ed59

SHA512
bfbfeec5453ec1f03a6578829ef66fca5e2f88575ac1e10c0c6b3774e73a940da89e1e3c4eab0cb06edd72e3e0b92dd4b8cbef6f5d4414712f3513baaa5f1901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d4b45ba780b41fa5832ce71c94f34344

SHA1
72e7c32e3f1c1f64986bdafe062ca6de833f47d3

SHA256
e87935c5efd2a8e991f7781a7abbaef32be127ab2859574adc0cd9385c91efd7

SHA512
3121f80c87e140fca17f3ad4cda98172641cfee3da28eaf1f6dbf578331c9121ccce470eba8aa064b7823d2e9c5d3f25b3e5f06c635da22cdf1c9aea6c1be542

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89b17940c60e14798d2a159d48debe28

SHA1
d1e767fae6925f49173b0bd1f4c602930c8fa012

SHA256
d17426156f068fb06a17b44100c2b3f5d7d692c77695d5c248920712de9a41b8

SHA512
e96f978fe68599d57e6e6b814c1687f65d6e779e9c18557e19ea4570c452402488598219db13ec468c2219c97c00537f376846147a180d02580913e889469040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a5116c3b531a2a300958e7b63672f5ef

SHA1
b0b13417b1f24ac559cb701b47f451aeabaa85c0

SHA256
c85e40cfa7ccdd203f6e9be7671555f361605726e3c85e22475b09e703d77fc4

SHA512
c0f1cf00b63de84bd83eea00bce6cae10ef15e3e98d38703e4b8dc837913d6b4047eb044ff88dbdba7104232f71800d4f64c82355505e138cb69764eda1e61b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b80d86acb5ab925bc36ff14e8b75e4d3

SHA1
90313ab1fcf47f453fddee309a6a98dbf5927fe0

SHA256
04fad6ae6b18d70c94d746991388d9680f0b80bc4ceafe655270a2dcdafd67e9

SHA512
7b2c8d1ec989856d7071926dbd31165551b789255061cd1e57208993a2afb1da3d95d9442f3aa07d4c97b63c87ac9d36bdb68bcb7e2ca21ad4dcca25247984b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3e9d1f303739582197d1dba072ad4c9

SHA1
9c91e552356ff19f6c84929705e6677145469dfd

SHA256
a6e4e0ce7cf31f5bbe0e2c1156cbff4a923b09ea2688eb58995cf70b2f1b73fb

SHA512
d3f66dcf7746916a25f7a902bbb534c650afbdc9bf17e84d63e0666ed5e58a1ecf5e126f77e40388aae4e6d71afd634142a8f4923aac1d2b5253d01de89c3cf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
12242ed38c11eb8dc8c238a5a20de097

SHA1
7d2d03b6f99f5b6669b0a45a6b97d50856bb36f5

SHA256
0cdd88091e381715eb15594a79e2f1050e1088340ee6d64fcd69154b029b73cf

SHA512
db65be585af242b2b8c5a70147e86bdd3d47ced3131179e13455ebd1896754d6626a0196e1285b94daf54642928c5e153352108f91011297d7c0793093794110

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6beb7fbc633e4a976e8a7ef34354cf12

SHA1
3104a3d5b740a61550afcd7cfd163359346129f0

SHA256
38bbcdd6b8aade59c7a05e378ca6ee71f84b02c97b930f6677d135975ff8a25e

SHA512
a06878beaa47ecfbfb94486a3fa3f0e58c690b1cedcb788dde4fbe19f94b780b4f6e6a355e090b03fbffbcb661bbb306154590cd43e4c0a38ca762b8aafaebc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2d323591fb3dec0a145e035416ff072d

SHA1
824a8bd3c48a391cc17ad1c37b5026cee9a0d505

SHA256
2d1e9bdf5c2dbb6b44b178c8ca0ad2e21978ed81cf05b9880bb210b394e54c44

SHA512
97a8608b338babfdb45ef354b30055e2f21ccda98fcca6d5c7ca09121276e72a5fb2aee6110405ab6c71947ec77ed9738c37e04076293ccdb38e9797bd4ef43b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6a712e05512c6c0e343ef4d1595c7c3

SHA1
71169b04ff43f7df7f2f04deadc59a83200e70fe

SHA256
f6539ab5328eacf668a15fc5dcec554cb8a5c3607ff66300a1de1fab310d70da

SHA512
93cbe9cf0663301f33f8e0c2c94081cb6d0207dfe9d887fb0d1d5635868cc000b9e532c91a3777c39b0584ef7e9a9d638a0305eb303b4b0e888b78fe1b65b499

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c550437996ca5ecce33e473c7ac01f97

SHA1
b6f554fc69ea51ae40430c97e4db32baeb07387c

SHA256
e722824c5d8f6bd40aa4292483708c61f267f0eaed597b7f225a121487f23239

SHA512
34a263d928d8041d4afa72020676ea04f55b4be46bbd3e3ceffd5342516c128758e8ffebf3babc4f01689ae5250aac1d4cc0b84f20f8df207dedcf4a3d5009a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ec4a6a6e59a9c0a2caca9781fdbc19c

SHA1
64af5583c544f91a636157dced6c074170162395

SHA256
763fad5ee3d7cb5852a5e0b0f9194adc960303cf0b8e968d2046132cc715288c

SHA512
1cb69869fd9f0228ff8d7d9fb4184cb5465bf9d06beb894209fd467da693e89f3c097e38b9e0e2f1e161551aa45282bfeb89f876ef309666bbae0d27da95ad66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a9f8d2a623b7cc60b22f31fd9603cb0

SHA1
73c612137905c591d52b5f4724cde560bf063fec

SHA256
d31e06b59f0e3a7e80b2a67a9085ff8312028ac74cb3cc5b8bb0821e4f725b2f

SHA512
73cb1d7463f07de984f77986b5854b473452ffcd0be918067b208da34d6bf47b858a31f36822fa91f1076471711ac42e8bebaea2c275046d4ead491d7b4c8acb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17cebc4592008ed934b5cbaa37941a1a

SHA1
7ac7c14936e780536915571bae1332d9d16937d5

SHA256
d81b4ed62228787b46c34fa2cf1c8aee3fdc1e9810cd59d9a715c884b5171c15

SHA512
713b76d25e1ecaf8635ceccab577dd78ed0fd053408e902a8ba68c857918810e088d2d954c1d15a1724e3f8c5b104d69cf6beb0953d3915b77ccd0483251aff1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
75f9ecc998cb8bb774e5890254a1359e

SHA1
0a5f0c783b443e00a33a696fe8fc3b744a0b0df6

SHA256
959508c4444784fe3a2ebfae109bb9a9c2e50e1b5d8fb1526caadcfc24f48b30

SHA512
258d08970c798b02279db9542eb6a9f2e42dd3f85926e4fd7db529cf4f9c4dccebe9bb4bec86b3b65a99f98d4b55f9cc9d6817d0194d84908a87c6baca299cbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92afb73df8a325787ecc94ae1fe8476e

SHA1
fd437e2a91102873dd4ccff7b46b9440c6cc1b4d

SHA256
e1a5e8ccb9859d380f45f79701c1879b4e51e839781d948b4eb04d2af540343d

SHA512
4c1566c84eced8c9ef3c7e662202c5e6ed55e86c1f6260bc5603c8b8246d2b4138c0263e8ed2c32e2e99a948551cb9b4c0146a71067297fed8971e81483b827b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9de49d23500f7aa651ea564831c9148e

SHA1
10ec6490e4453f716978e92fa0f2175e3c399744

SHA256
94d9d8d1990d1032758b27f29e874d907e7a19c13a880e76fe061ac9f92ae98e

SHA512
447812d2c34847b90dd0be5c64221fe2c0e80b1ded55dfd3fb9abc6a688dc71f783fe8418607e4f704305ab8a86282baa730a190363fd19e9b2cf84207310281

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
183ee1b7ae284b77601e3743c7c3f922

SHA1
cf0568496c982ee438fc6875658020b87f51eddc

SHA256
4bd75c1567a73563a539a34a7c9c1a04e33ecc0b607813b23c55a746753a25cc

SHA512
90a5aa38efdc1793b7bb9e4a71430d71e09582dc72f7a0220aa06338058ae0a95534f607386d60982454ab2d4a3bf61473488346a140e2a7f6adb9d81b6b4c1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
520070756674fa3a2bfbc37e17dad0c8

SHA1
8e50c0831abf23cbf53f50a42c6ac09c37ee9424

SHA256
b155f47d66cba90827017592473bba7a89df5239089cff54d3d596ded16d11e8

SHA512
902491bad4a4477072186585d8475bd88cc4b32c5c8f7223fbe73787f2fe9a9985b84691ed5b453429a406e5a5e6d3577f6359013d837a9ca0e0154be7e682b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aa5339a78b0c42c203226b7db1d9d8b0

SHA1
999f8af1bf30b5e8e0c4ccd96b2b8752e6635063

SHA256
0834df72fff0614d19c6c49337cbcc8cbbc01e0b88bfa033653d8c4a10072b59

SHA512
70f534aad09ac05c2cc5bc3647f658c1ec2df275d1e912a57e512399a26c5eb1d03fc0bdf91ba28759fca30a78133c7d5c0fcdb79095d431fad8cd925b830b22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1685a1b6c3fcab0032f0c12c54b45298

SHA1
8a0af6bd2dfa7e4e4d4dc6c15debbf009165f969

SHA256
4e9bb7375ba672283c8b24074646c8fd5d8477e46466d517040216d8b6cabae4

SHA512
bbf88e6f0664c57c1079f8c5980ae4901c12d14c074fa4cb2cb8f3abd7b464d983cc62bc9b0a7c6917ceab8ed417b1ae1a23c680bf75bcc6099c4a5b79174529

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a4edde10fcd73da4d9f1107e8f0434b

SHA1
99abe17c4f7243ffc88a388e8b26731ff95a90ff

SHA256
5dc1d5dbc740221f9ee8bc656ef720345497c6a7a4154fd1a0d8b735581159db

SHA512
434b1601d5d8b449c3d7cf6b470e2f130d3230090567134286ae6c5ab24ea055d9651443ead597bb4092a6037933ca979ce0bf5e5b8ec6b1c0f05819cb183fea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
86ff03c0b3d45bf73bbeb5ad71d0b534

SHA1
adf17b237395c7a20fc02d035da78d24f6635a66

SHA256
22bf1f57c367fefc74c0c4a48460f28be327a1e7fcc22bba568a26ab681849fe

SHA512
957beba24c04c9eb3756ae9897396c984e0d5bf7063511550ed46b51f038a8a09cc99b10348ca6ac65100521d21fc3fc50d51dfd94cb577e6ca0bdb440b3c6f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f66efa0fd01c8818c14c94b0a9291bd1

SHA1
c4ffac487684affce923deba3d9775ddc6e07575

SHA256
79d529bc3651f6c1908e9a54245dd1ab042ec1952a562649149b0438b1775fc0

SHA512
41f8255a76d661a53c1938083bbfb4f3d2e534058d6905664e2926826e9f0efb3b5314ec01a4602954d8c989c307e7f22a4b3a7415b63ab3a5e1b236f26c9e0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8c6844c77e9e73ee4fcf94de13360a3

SHA1
6d248cd8606fd2600dcef41ffe22f04456d7f871

SHA256
fa5c5459bff18a2dbff70f80d6257f5594cfa6c68f1fc04420e3a7843bddb5e5

SHA512
04db92112f1f7fc29bf6da97fcfd7bcd8d053d7e994673dac2eca92157b7e3233c1fc9ebaf8b37e3bf7c36f2d7916c003af82e894a1b882313f79f6593379bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\86VE7VUY\www.java[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\86VE7VUY\www.java[1].xml

Filesize
216B

MD5
5bd4f9f0a79bce2e8c4623bb2fc1225e

SHA1
bcaac611bdebb4c45b137c685da767a6a9964e71

SHA256
d5537886b98a67597c251bca61375bb7dc6a6f159d8aa7510d00a3bb9b873758

SHA512
24998b8ae5fe8eae3eb2950fc84647da3ebf0dbb22f878023976585aff7bbce10407eec384446659490e5f6d53949cf99aca729286e1da624336bd74771916a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\86VE7VUY\www.java[1].xml

Filesize
398B

MD5
e0100289b2e426b8825634c8120eab53

SHA1
c3272e547e751e14ced1335f66b7221227139900

SHA256
08de87350b2039505751e22d9845db4c92a4f04d5eb555db687c6707e430c536

SHA512
659d9d1c24164abea9b858fd360f6f0b9da2858d412aad74fc41fb1f8a95b4b6c3267a559c94bddf891906ca2ee428f196f1d701223dbdb4552b8d72a4f01826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\60nmxlj\imagestore.dat

Filesize
1KB

MD5
bfab173db169b8e6edb23e821173f1d0

SHA1
9911a5275d5107c4a80e67fb07dd1a5415d78d43

SHA256
dbbe3d87248fa98670b82c47718e3d23bf4ae36e7eebe10f0cb80c33a65bdc6d

SHA512
4678da095f04d35c5a614cf6de0d01fca17563b73835f275009934c78fa831d672b3695ce497da36dffce7d8e27cf42b01f40d733bcc753a6b8d8d1627ab8e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\23EIUNT7\favicon[1].ico

Filesize
1KB

MD5
8e39f067cc4f41898ef342843171d58a

SHA1
ab19e81ce8ccb35b81bf2600d85c659e78e5c880

SHA256
872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd

SHA512
47cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.exe

Filesize
3.8MB

MD5
c05283994c67e1698ec43b6d1d16ec42

SHA1
48b07e16c119d94f431f9b1a13b3804a899857cb

SHA256
4db27b59d42fa2fc482b2c77f598694ccb31e1b4bf26b030a5e4965ae2ee3f9f

SHA512
ce3e8eed30034107499e4ffbfeecf9a276c2c097828a11755f2d12a74faa088b12df4c0e3e85a2233ecdfbc902c384c44ac757b27633955a3e3bd26387ac7e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Filesize
1.7MB

MD5
b496d3af239c39d556662d788e88b543

SHA1
87216cb602e5f64b6e120d6b10af9bc013fb870d

SHA256
fac665c321d7f71a4814f6f18c0c9d6004253c1655f5c7a47be4ea69dd043226

SHA512
cbbe0b57741a6434830dfd92f6d68e495763802f16d9b5c2170699997c125e0a1715d1feeff7a6f369cc0e199809dee7c3ce84469a7f5b5695ba394b9f38f37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Filesize
3.7MB

MD5
76fb50c69a1dcf34fe35d78faf9a4252

SHA1
99a3d26893fc76bf0a639ea64795582262a1d030

SHA256
3fa8619bf1fb02a4c16fb6f70ee27f738697550fed7ab557d3561fec1b854438

SHA512
3f053f128d493fc0d843f6ca2d6ca4bb19e7caaa27e0ab44029156a01df4546df4f993287870564e074f4bfa4ce8fdf652ec11908bb6b5f8bd6640b4fea43801

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF306.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe

Filesize
84KB

MD5
9095c3e7ce04dd48e72178ebee7cd5c1

SHA1
bb21d1cb98b0ebfde2be9079c18152b340b26418

SHA256
9a212f20a8b74e3a0662ace826537cff60bd30a20cdb2b4dd43b8c69e5770bc1

SHA512
d01706a02e6de418bbacf2a0bd26c4706a66531934fdcdbd582df7403427293b7fe565ccfee7d941d30ec293bf09309c86fb52e2af7908d26f33fcb296f99c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe

Filesize
2.3MB

MD5
7916c448a1428cae5bbd18fc1bcd8a9d

SHA1
09dfb8c933c7d41083ef97fa3414fd54334845a0

SHA256
20b3d621e2a65503319c53281f546de230eee64bb52e6e1910d9433efc243a3d

SHA512
c7689ccc21335a5bc65772c5311564ad31ce23b40e0294d9607c5fba493e23db9dc6be5a47d97e4b554655fe00f6846b25b02f5c2036e6c55878c9610a7b9932

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe

Filesize
2.4MB

MD5
607f271cea78509b1f0a22aa1c0c0f51

SHA1
30fab9ddedd6efa07a126da12cafea96951fd8c2

SHA256
d470984dfbc891756bd3d0ea12ae8122b323806dd40d12cb4bd431de3e562085

SHA512
55d4544c3ae098504da08165890bea80a1869ca6cbbb9828c84a07f1bbe7eb00ab14e8fb2599fb6a6dd8f6112215c269e27ad6dfa7974a7cb3fa12853ab07d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe

Filesize
1.4MB

MD5
88061d9c4dddf493d797a6bcb4c41a5d

SHA1
9927a01081776cd17e0d63520e69578c2d1a2f22

SHA256
253ada92fa6c90bc1aa8b41f0a5167349e3d4a1f5067c21ceb0ea2f8c07d058c

SHA512
0fe953bc3a12413ae0852ce1efdfb3dbc02d4e8785cbad619fe36b18258e995973d67663e4709dd21f6ba38f4a6dad6a3205742defdca62301908ba8e064e4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Filesize
2KB

MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF319.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF466.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\asacpiex.dll

Filesize
1.2MB

MD5
c8e81a2e7a0d97a4d810a3721f103660

SHA1
9d66f386527205abedc91aa4578c1e35968017e8

SHA256
9e907b8f812fd609cfbd1755fe5323d35d3634d9034bd452e7c5729e1879413e

SHA512
f3b415b74be5100e292bc2451f491122eba25de52fd4e81c3ce4666e2fbc001df38aade1f8943b29a9777f74ae7a49a9ada169aaed435c16c3243b0544809fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe

Filesize
72KB

MD5
2c7d37e90dd8ab57d06dad5bc7956885

SHA1
da789c107c4c68b8250b6589e45e5a3cf7a9a143

SHA256
5ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939

SHA512
e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
3.3MB

MD5
5925a1ed375ad16a426133c66a3eda08

SHA1
5317dc9579cce83a57df27e1fd6201c7501eda22

SHA256
85b4a107536b67620c6adc712448aea9741c92203145f77f4e8491e5671c5f53

SHA512
14b3fd1625ac7bbd689c0e39b79b56ecb883c3516dc0a1e1f5e7c36518895610e2a937f97546ab6c6f8468c156c672407fe87856cdb65a125b61fb515581b3b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
1.1MB

MD5
dbd738133caab96e91d2e281df9c4aa3

SHA1
fd7645f6e2c58a93bc52b4883b155895c5181dfc

SHA256
963fd2f1165dc8e61a3df9a00e45efcfe9a78ac3f2d34b27f552882d5fb3bc0c

SHA512
ed082151a08c7743f943783f7e3ac7828c2145fd0946a233c42b5219b09cffb57757596d3c80d6c7f0c529b92aa7ecfdaf6f43f32e6b1eda6ae232556173ca05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
2.2MB

MD5
c57660b4d326b8057bf3d08c992ac7e4

SHA1
6825a55e0e9dca2574defa82fdbcabac5aba1bb6

SHA256
f43d0c69ead8d58b90ec46ac10b7db4f46d174c0a190c00c4772395682353ab4

SHA512
cd060a18338cb462a225929f34550ef7a16197903f68227637afe2400b55bf9bdb5560c0da83049ad143d001a6190161452f545d35c9ae2b2e59dd45adfbaf10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
6.9MB

MD5
2288f2defa85be8f5c3351c664fa03f4

SHA1
eff0a57c72b7ed4e1616e97f7a20d674ac0e6cfd

SHA256
600c89751a4a41ebaec0f520901fa6a434e50b325c003591516f6596051f375c

SHA512
d54558d3f964a9cba8c5c8ef8944b095546820abfe71a3b521849b11078642342b84fc78c6d52ad013ffcf301e84861402ed329805ae7d6036d47d9a53ce1d5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
3.3MB

MD5
2bad7511d3a64f2632b08d9f56ec84e2

SHA1
af42fba10978c6af755720d4fffd49db4aaef01c

SHA256
d70d4f75b9f6d7a9a4de13245d471aae87f59638415964bf41729eb71119a11e

SHA512
0bfd2238f470d7f39152bc25184ca9191d42f89dc5a515e17f3b3dbd376b6b6bd6b52c2e8eee3357eaca06fd5e086bcd37f66ad3f9be26ea86dfb7da417cca5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
2.8MB

MD5
c0cf4ce70bef7e963491ab98a5bce4ee

SHA1
9346398beb35ea6cfa434fcebb77e4c2bc9ba8a9

SHA256
a8beb32c60142cc5810b657b0cfbce1a439b16dd4d1edfbfb61519836059f2b5

SHA512
06c99d04d9cedaa4733c8a334da6aa07354bea3a8476e7717286504621007c603935da37d99185add3163c33b7084ea313d12955c8fcc10dcd0fe90b820345ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
8.1MB

MD5
8a14eede28f47241f6f9af9b0fe57530

SHA1
f477aae1df78f241470bf621e11b6e9e2c506d41

SHA256
1c66decd6e196561c5a13f258e8a0b61cc009e944843155fbb78e6337cd7c692

SHA512
5b2fe67bd0e4d01ece1d5f9b6ebc4a48d3f9fcef4b4ee72b7e993faa2e3c965f6b2e323fdab0a1b23f31738d9d13bac162013ea16f9666d14bdc4312699ada71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
056178825cc21a04bff0daee4b65cd7a

SHA1
c2a377beceea97ad0df46d8cd1b7d2fcf120b049

SHA256
7e53061289ef263fa646370f010276986f93487114490510e6620446a91422f0

SHA512
192ab38eae34343a0afd622951c3cb44c18bf273ab0b9e41676247b214d367ddcf700d697305eeb54ecb344720676ca800fbb46856751cf74977ed5354128165

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
8KB

MD5
dd2e026dbac234d9bf92cc125ef938ba

SHA1
6451f3c6f4005fa9f8f3d603c95535b6dd3300d4

SHA256
09a038eb13d20860603d24e42dd8735c4e1f963f084ec99dd89966eb703404f5

SHA512
f3f14153eedf7247e26524ac3029f5663bfc31fd74083a6cb3fae184e8ba495a05bf901fa526d5162a212bec2d601517bd89f5291c980bdee69703624f674eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Filesize
2.5MB

MD5
54183220aa6c777f8228474ff5b5df01

SHA1
ed438f17bffb37d42afd61d8dcef0c50d554c65c

SHA256
9a78c80e93bd1ed3d71eb090465e39a69470cd1812fc5e169d8b412e8c665963

SHA512
70b1e22449c5264bed46b62595206e3ad36e2a9c33fa9589acb792d499dcbbae5ebdbf3b35c140e72a7d594f807a6ce1ab925736b5e1a07c17a26445a2591987

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
28556f926ab5d05207b112563f2ebdaa

SHA1
f56c095fc76c63bdbf65a05b2697fb3df209b8be

SHA256
15c80fc7a6d963e72ffbfef85a22b8fb200f9a4f18d2704ec8d7918530116f1f

SHA512
17ad61294dd081dafa547d5f614f5546f78eb8b51c2183127332395a4eb615b774981f7481fc7ab6eca4e05428f02d178d21f50a7e535f9d4cf89d0803f100ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
6.0MB

MD5
212b4695a5fb15ddd63da1516a011f60

SHA1
796b637537428f0389f61dc72484ac2da2536a48

SHA256
3391e05f6f862f279f2f7f01e5ce095b1585ce21b848d8cf54637955b9a1d8e5

SHA512
3895e8c832af95d9273f3455d3407c17a3871ec95fd3db18b586ed6068c731834c365172853787b7e657bdb6dbf840b628531435812c5d6e51dda1e067776e1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig

Filesize
201B

MD5
b9d2fe9cfa840518fa39039c928d4938

SHA1
0561516b7cfa784cf400349983817c8b18817256

SHA256
69d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776

SHA512
894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
3.4MB

MD5
791a48e7cf84ec1532d20127556f6300

SHA1
774f71e595cfc7e24dc941839566bc9edd9156c5

SHA256
af682ad107cf0e9d9f11adeaf88f817610988b56577c4020897debc0f98e26ff

SHA512
ecbb4a07bb68fec5258be0adc91b89d179b5668bbab3be3bd72d5339f8bf3b32a1860b38693a304029fe989bd92adb020cf755f673b1e59966dfc75e4f958cfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
974KB

MD5
be51ba4bea2d731dacf974c43941e457

SHA1
51fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621

SHA256
98d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747

SHA512
6184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dll

Filesize
965KB

MD5
7847c7b13b3414e8e7652880b4609205

SHA1
930670acc16157f56aaf69423e5d7705441764ba

SHA256
38200438cf0c9c20d17e5b9030d2ad2e4a1b6b9dc41c287bc603dd50d22e67bb

SHA512
c3c81dc3eb546c40b3606338deadbd63331659645dd24b5fd0d4fb3170b053fef528ee3fe005c9446176a5c049e9412ea8193ad2f8b9a7301ff67b088f1bbb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Filesize
313KB

MD5
97d89dec5f6a236b6832a5f3f43ab625

SHA1
18f2696a3bf4d19cac3b677d58ff5e51bf54b9e8

SHA256
c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead

SHA512
7e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Filesize
608KB

MD5
624304f2ba253b33c265ff2738a10eb9

SHA1
5a337e49dd07f0b6f7fc6341755dc9a298e8b220

SHA256
27b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f

SHA512
163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
4.3MB

MD5
9f2d86da7d58a70b0003307d9cfc2438

SHA1
bd69ad6ea837e309232d7c4fd0e87e22c3266ac5

SHA256
7052619814a614a1b157c5c94a92dbec22b425a0977ac8b21958b8db81e2dd65

SHA512
ce345ff77d8043f416a04b782be8e7b0d5fdea933f3ac79abb88648a9fca23d7a69f537a825d0b636ba64f80afe70f758114ddbf412bd9398800ba4b6e359a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
64KB

MD5
46865fa36524703de64ea0d516c3d8c2

SHA1
b72b6bb136e7511d4715e65a0170d3a70a79d792

SHA256
ae892d932d3027e4b6fbbdc5a0820b8bd9a86a0ecb5b4daa9e242d1daa2e8bc7

SHA512
18001dbe0025692563ca6f46e8a2252c75acd1dc926486ae87fe41e65637eb5191bc8b86a36f55e2cda87c7f7d94f8f0adc3ccee492a62ded11180878658e278

Download Submit
C:\Windows\System32\SetupTCPIP6Driver.exe

Filesize
8KB

MD5
488bfa6d9fd5c874585daa3f960e6804

SHA1
aa8ca3927c318716e14210fc0a3ed70ea483eb23

SHA256
a84bfef2ce112366349e3ce8c70e120ec63731535696b405a458e5ccfcdf7f48

SHA512
952db3ec6548421b8c013c1482545e005c7526f0c4f432b12bde8460a13c88d0f1022cfe3008af88bb043d9fdede9e341bcc406d7d2fc8370249da75642a07a1

Download Submit
C:\Windows\System32\SetupTcpipDriver.exe

Filesize
28KB

MD5
2fbe46325e890bee1e21aba30c9345be

SHA1
2c860d226f6b8f59caa058e39d06d6ae24007227

SHA256
cfbd108945d203a6a5ced2dc4eee0084ba66972c1361c05b6b7065276f15eb4b

SHA512
133e2c1a9bad1b7a9c7e519c6132a4494af5a0233c47ee3eecae263f72bce8345356f032bbbcdefc934776020b210327f18a52b72138006808975f8bad2ebc34

Download Submit
\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
8.4MB

MD5
ac64e3cd7e18f772f2344bddc91bf8c5

SHA1
97cd0e490bafcb3dc1655584b9d9b4b135c3fed3

SHA256
b0842175bbf5191df471da4555e6688f38baa383dc1da196e51ed47a1432e3d4

SHA512
9b499eae8c6ff6269d929ad78fa0ce151ed32f0f64a2b4d7f0606b19486b78c6d0b8471e8368373ce5dc4a905b04d349894e042f3e559be7520445e5ebc37a72

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
448KB

MD5
f8c199b28efc1e379505b2f55cacd807

SHA1
3285b142059977db96d7f8d9ac0df24882e971f7

SHA256
0440a869acbbae2275d020e8d5679887e3fa7cc84e68fd04e733485cad5f8c3f

SHA512
ca8f08b311b72ab2c9bccc6935c2b434efc310054fd8436d1688ff53f99b6c8406a5e1a4b013e6e0cd96e72daae519822bae4ab00f5eda9ff41d1a7e8aee9b97

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe

Filesize
163KB

MD5
786c2d8ce06b87f7c459b4fa4de70b89

SHA1
cde6c7b0abab2d59d633f1f8bf6f59ac3e934ea7

SHA256
79e6707f186eb50ec64b5ecaa2daa058e3f5b6682997fb2c3375216615a316da

SHA512
978fc26d92308634bc218381bda58d62ee84c49b56e8e2b36bacaaf241c1e4a6a145f0705bf455496798d1b8868c9e71b537b524d466be4f976cc5e27d3059d4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
512KB

MD5
ef36f14b7580e328804af8263526c8cc

SHA1
7c61307fc8144be9d7f504ec4835110f1b46c81a

SHA256
086b2372315c5827a484bdda470b6628244aef83e180c7a343e9cd64945195cb

SHA512
2297117f630f60439d162f415f92cdffb9753108ddaf7630d938c270b6ff3b9cff7f72e7d9ebf70d1f009c6be0c6c0d3628f5ecde83fc107d5329387142dde33

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
192KB

MD5
f403bf899ef4610684e65327313e173e

SHA1
696abc22d44a98fdf7551c188b179c62ce907e80

SHA256
a118f937544fd64570dfdd0fe07b4f14e031ff21d44978ea98c47665439272c2

SHA512
8bc18acf2f450dc738a27d53f6eaca9a5c2cc0284b3abeb224f91c8f7e8383da271f4a206bfc26b7f710583fc83e1bc8add509fe325273a296cb5212c61204ce

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Filesize
107KB

MD5
d490b6c224e332a706dd3cd210f32aa8

SHA1
1f0769e1fffddac3d14eb79f16508cb6cc272347

SHA256
da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557

SHA512
43ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3

Download Submit
memory/764-158-0x0000000000980000-0x000000000098C000-memory.dmp

Filesize
48KB

Download
memory/764-1228-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/764-157-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/860-88-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/860-89-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/860-86-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/860-85-0x000007FEEDC60000-0x000007FEEE5FD000-memory.dmp

Filesize
9.6MB

Download
memory/860-84-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/860-87-0x000007FEEDC60000-0x000007FEEE5FD000-memory.dmp

Filesize
9.6MB

Download
memory/860-83-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/860-90-0x000007FEEDC60000-0x000007FEEE5FD000-memory.dmp

Filesize
9.6MB

Download
memory/1760-53-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1760-68-0x000007FEEE600000-0x000007FEEEF9D000-memory.dmp

Filesize
9.6MB

Download
memory/1760-67-0x00000000029CB000-0x0000000002A32000-memory.dmp

Filesize
412KB

Download
memory/1760-52-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/1760-54-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1760-60-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1760-51-0x000007FEEE600000-0x000007FEEEF9D000-memory.dmp

Filesize
9.6MB

Download
memory/1760-55-0x000007FEEE600000-0x000007FEEEF9D000-memory.dmp

Filesize
9.6MB

Download
memory/1760-56-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2124-1299-0x00000000713F0000-0x00000000714D3000-memory.dmp

Filesize
908KB

Download
memory/2124-1765-0x0000000000AA0000-0x0000000000F01000-memory.dmp

Filesize
4.4MB

Download
memory/2124-1789-0x0000000000AA0000-0x0000000000F01000-memory.dmp

Filesize
4.4MB

Download
memory/2124-1779-0x0000000000AA0000-0x0000000000F01000-memory.dmp

Filesize
4.4MB

Download
memory/2124-1304-0x0000000074D80000-0x0000000074DA3000-memory.dmp

Filesize
140KB

Download
memory/2124-1772-0x0000000000AA0000-0x0000000000F01000-memory.dmp

Filesize
4.4MB

Download
memory/2124-1300-0x0000000074650000-0x00000000746A4000-memory.dmp

Filesize
336KB

Download
memory/2124-1303-0x0000000071020000-0x00000000710F3000-memory.dmp

Filesize
844KB

Download
memory/2124-1302-0x0000000071100000-0x00000000713ED000-memory.dmp

Filesize
2.9MB

Download
memory/2124-1301-0x0000000073D70000-0x0000000073E08000-memory.dmp

Filesize
608KB

Download
memory/2124-1754-0x0000000000AA0000-0x0000000000F01000-memory.dmp

Filesize
4.4MB

Download
memory/2124-1744-0x0000000000AA0000-0x0000000000F01000-memory.dmp

Filesize
4.4MB

Download
memory/2124-1298-0x0000000000AA0000-0x0000000000F01000-memory.dmp

Filesize
4.4MB

Download
memory/2124-1728-0x0000000000AA0000-0x0000000000F01000-memory.dmp

Filesize
4.4MB

Download
memory/2132-107-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2132-128-0x000007FEEE600000-0x000007FEEEF9D000-memory.dmp

Filesize
9.6MB

Download
memory/2132-122-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2132-110-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2132-109-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2132-108-0x000007FEEE600000-0x000007FEEEF9D000-memory.dmp

Filesize
9.6MB

Download
memory/2132-104-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download
memory/2132-106-0x000007FEEE600000-0x000007FEEEF9D000-memory.dmp

Filesize
9.6MB

Download
memory/2132-105-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2220-57-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-138-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-2-0x000000001D4C0000-0x000000001D540000-memory.dmp

Filesize
512KB

Download
memory/2220-0-0x000000013FB60000-0x0000000140B0E000-memory.dmp

Filesize
15.7MB

Download
memory/2220-76-0x000000001D4C0000-0x000000001D540000-memory.dmp

Filesize
512KB

Download
memory/2220-1-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-169-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-137-0x0000000001380000-0x000000000138C000-memory.dmp

Filesize
48KB

Download
memory/2328-136-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-1245-0x00000000004D0000-0x00000000005F3000-memory.dmp

Filesize
1.1MB

Download
memory/2432-1239-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/2432-1241-0x00000000004D0000-0x00000000005F3000-memory.dmp

Filesize
1.1MB

Download
memory/2432-1238-0x00000000004D0000-0x00000000005F3000-memory.dmp

Filesize
1.1MB

Download
memory/2436-37-0x000007FEEDC60000-0x000007FEEE5FD000-memory.dmp

Filesize
9.6MB

Download
memory/2436-35-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2436-36-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2436-30-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/2436-34-0x000007FEEDC60000-0x000007FEEE5FD000-memory.dmp

Filesize
9.6MB

Download
memory/2436-33-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2436-32-0x000007FEEDC60000-0x000007FEEE5FD000-memory.dmp

Filesize
9.6MB

Download
memory/2436-31-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/2528-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2764-191-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2764-75-0x00000000012D0000-0x00000000012EC000-memory.dmp

Filesize
112KB

Download
memory/2764-77-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2764-91-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2764-797-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2980-193-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2980-197-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/2980-192-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2980-176-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3040-8-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/3040-9-0x000007FEEE600000-0x000007FEEEF9D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-14-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/3040-15-0x000007FEEE600000-0x000007FEEEF9D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-10-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/3040-11-0x000007FEEE600000-0x000007FEEEF9D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-7-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/3040-12-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/3040-13-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download