asyncrat | dffa9b80560b0d59cfce787ef033857edc141646a1496b0cf50a00b1a5b03078

Analysis

max time kernel
1800s
max time network
1802s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10-08-2024 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CryptoFactory.exe
Size

6.0MB
MD5

606d9403c952670ed0566c1d1bce5dc8
SHA1

179b8c773a470d6e273808e8b25482810e90efcd
SHA256

dffa9b80560b0d59cfce787ef033857edc141646a1496b0cf50a00b1a5b03078
SHA512

ecbe8bf0eda38d1cb1cdecf03be58edb1f34b7cb3a17d60d98cabbc7b55429a1b3a69fbca380388f8e8f9de82620047c423464df8190dcc2211f795170c36299
SSDEEP

98304:H1GZtGOYln80EisK9yJND14r0Uhmkl1qa1Egu2Wh/X9Tm0OXcPwQESF/IKc6:+FqnPEZZzeJmkl1qHd2i/9TjElH8QKc

Score

10^/10

asyncrat redline default diamotrix defense_evasion discovery infostealer persistence pyinstaller ransomware rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808

Mutex

QaF6X2cpj8fc

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

diamotrix

176.111.174.140:1912

Extracted

Path

C:\HdbtqCuyh.README.txt

Ransom Note

[Your Files Have Been Encrypted] Hello, Your files have been encrypted with strong encryption algorithms. To regain access to your data, you need to follow the instructions below: Do Not Attempt to Recover Your Files: Any attempt to recover your files using third-party tools will result in permanent data loss. Pay the Ransom: You must pay a ransom of 1 Bitcoin to receive the decryption key. Payment must be made within 72 hours to avoid data loss. Contact Us on Telegram: To get the payment details and further instructions, contact us via Telegram at @BIBIL_0DAY. Decryption Key: After payment is confirmed, we will send you the decryption key and instructions on how to unlock your files. Warning: If you do not contact us or pay within the given timeframe, your data will be permanently lost. Do not attempt to contact us via any other means. We will not respond. Your encrypted files are your responsibility. Telegram Username: @BIBIL_0DAY

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/3148-31814-0x0000000000520000-0x0000000000572000-memory.dmp	family_redline
behavioral1/files/0x000500000002ab0b-31807.dat	family_redline

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x02b400000002aaff-30958.dat	family_asyncrat

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	relog.exe

Executes dropped EXE 64 IoCs

pid	Process
4312	svchostwit.exe
2320	CryptoFactory.exe
1876	svchostwit.exe
4948	CryptoFactory.exe
2776	svchostwit.exe
1688	CryptoFactory.exe
2084	svchostwit.exe
1088	CryptoFactory.exe
1700	svchostwit.exe
232	CryptoFactory.exe
5020	svchostwit.exe
3068	CryptoFactory.exe
3820	svchostwit.exe
904	CryptoFactory.exe
5084	svchostwit.exe
1480	CryptoFactory.exe
768	svchostwit.exe
4448	CryptoFactory.exe
3468	svchostwit.exe
2768	CryptoFactory.exe
2812	svchostwit.exe
4308	CryptoFactory.exe
2356	svchostwit.exe
2968	CryptoFactory.exe
4292	svchostwit.exe
4472	CryptoFactory.exe
1384	svchostwit.exe
456	CryptoFactory.exe
2692	svchostwit.exe
1828	CryptoFactory.exe
4800	svchostwit.exe
3736	CryptoFactory.exe
3144	svchostwit.exe
3136	CryptoFactory.exe
2800	svchostwit.exe
1536	CryptoFactory.exe
4840	CryptoFactory.exe
4744	svchostwit.exe
224	CryptoFactory.exe
3040	svchostwit.exe
2436	svchostwit.exe
3752	CryptoFactory.exe
3928	svchostwit.exe
996	CryptoFactory.exe
1020	svchostwit.exe
3088	CryptoFactory.exe
2124	svchostwit.exe
3456	CryptoFactory.exe
4016	svchostwit.exe
2772	CryptoFactory.exe
1036	svchostwit.exe
1876	CryptoFactory.exe
5020	svchostwit.exe
2968	CryptoFactory.exe
1588	svchostwit.exe
3156	CryptoFactory.exe
4584	svchostwit.exe
3456	CryptoFactory.exe
2332	svchostwit.exe
916	CryptoFactory.exe
1480	svchostwit.exe
3412	CryptoFactory.exe
4516	svchostwit.exe
1636	CryptoFactory.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	svchostwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	svchostwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	svchostwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	svchostwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	svchostwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	svchostwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	svchostwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	svchostwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	svchostwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	svchostwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	svchostwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	svchostwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	svchostwit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{0BE445E7C5632545466276}\\{0BE445E7C5632545466276}.exe"	svchostwit.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1876 set thread context of 3076	1876	svchostwit.exe	158
PID 2084 set thread context of 3460	2084	svchostwit.exe	223
PID 5020 set thread context of 884	5020	svchostwit.exe	1594
PID 2776 set thread context of 4472	2776	svchostwit.exe	1797
PID 4312 set thread context of 4300	4312	svchostwit.exe	1339
PID 1700 set thread context of 452	1700	svchostwit.exe	1613
PID 3820 set thread context of 1088	3820	svchostwit.exe	1114
PID 5084 set thread context of 2684	5084	svchostwit.exe	911
PID 3468 set thread context of 2228	3468	svchostwit.exe	2157
PID 2692 set thread context of 960	2692	svchostwit.exe	827
PID 768 set thread context of 4768	768	svchostwit.exe	730
PID 1384 set thread context of 4548	1384	svchostwit.exe	2703
PID 2812 set thread context of 3460	2812	svchostwit.exe	223
PID 2356 set thread context of 684	2356	svchostwit.exe	2619
PID 4292 set thread context of 4960	4292	svchostwit.exe	1107
PID 3144 set thread context of 952	3144	svchostwit.exe	1373
PID 2800 set thread context of 4596	2800	svchostwit.exe	1042
PID 4800 set thread context of 5096	4800	svchostwit.exe	3603
PID 4016 set thread context of 1500	4016	svchostwit.exe	3847
PID 4744 set thread context of 4808	4744	svchostwit.exe	878
PID 1020 set thread context of 676	1020	svchostwit.exe	3488
PID 3040 set thread context of 3740	3040	svchostwit.exe	3652
PID 2436 set thread context of 2004	2436	svchostwit.exe	285
PID 2124 set thread context of 2212	2124	svchostwit.exe	4081
PID 1036 set thread context of 992	1036	svchostwit.exe	3722
PID 5020 set thread context of 1184	5020	svchostwit.exe	3140
PID 3928 set thread context of 2340	3928	svchostwit.exe	3909
PID 4584 set thread context of 2980	4584	svchostwit.exe	4258
PID 2960 set thread context of 396	2960	svchostwit.exe	4382
PID 1480 set thread context of 2464	1480	svchostwit.exe	3680
PID 1588 set thread context of 4932	1588	svchostwit.exe	2983
PID 2332 set thread context of 1312	2332	svchostwit.exe	3200
PID 3408 set thread context of 1768	3408	svchostwit.exe	537
PID 4516 set thread context of 1512	4516	svchostwit.exe	4484
PID 1880 set thread context of 1580	1880	svchostwit.exe	4732
PID 2288 set thread context of 1364	2288	svchostwit.exe	4750
PID 1300 set thread context of 4768	1300	svchostwit.exe	4722
PID 4740 set thread context of 596	4740	svchostwit.exe	1057
PID 5024 set thread context of 4472	5024	svchostwit.exe	2376
PID 980 set thread context of 4940	980	svchostwit.exe	5002
PID 4712 set thread context of 2948	4712	svchostwit.exe	4939
PID 2424 set thread context of 2292	2424	svchostwit.exe	648
PID 4544 set thread context of 3680	4544	svchostwit.exe	4667
PID 4840 set thread context of 2240	4840	svchostwit.exe	4626
PID 2084 set thread context of 4368	2084	svchostwit.exe	4865
PID 3920 set thread context of 1616	3920	svchostwit.exe	4356
PID 2188 set thread context of 2216	2188	svchostwit.exe	4498
PID 1060 set thread context of 2540	1060	svchostwit.exe	5201
PID 3356 set thread context of 3408	3356	svchostwit.exe	390
PID 4952 set thread context of 3136	4952	svchostwit.exe	5098
PID 884 set thread context of 4544	884	svchostwit.exe	4556
PID 3600 set thread context of 2424	3600	svchostwit.exe	4176
PID 3088 set thread context of 1588	3088	svchostwit.exe	5539
PID 4324 set thread context of 2052	4324	svchostwit.exe	411
PID 3740 set thread context of 532	3740	svchostwit.exe	5433
PID 2960 set thread context of 3196	2960	svchostwit.exe	1079
PID 1828 set thread context of 1396	1828	svchostwit.exe	5796
PID 1036 set thread context of 1576	1036	svchostwit.exe	5101
PID 1184 set thread context of 4952	1184	svchostwit.exe	1245
PID 2640 set thread context of 2232	2640	svchostwit.exe	4447
PID 1880 set thread context of 2544	1880	svchostwit.exe	1157
PID 552 set thread context of 1588	552	svchostwit.exe	5539
PID 1684 set thread context of 2944	1684	svchostwit.exe	886
PID 4048 set thread context of 1080	4048	svchostwit.exe	1236

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x049e00000002aafc-30874.dat	pyinstaller

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoFactory.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4728	Process not Found
5312	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
404	Process not Found
2216	Process not Found
5148	Process not Found
3884	Process not Found
4368	Process not Found
5328	Process not Found
1500	Process not Found
1968	Process not Found
1460	Process not Found
1556	Process not Found
6004	Process not Found
4924	Process not Found
1904	Process not Found
2464	Process not Found
5636	Process not Found
2956	Process not Found
5892	Process not Found
4780	Process not Found
4536	Process not Found
4120	Process not Found
2876	Process not Found
1396	Process not Found
1416	Process not Found
884	Process not Found
4716	Process not Found
2540	Process not Found
5800	Process not Found
2032	Process not Found
2960	Process not Found
2376	schtasks.exe
3472	Process not Found
1160	Process not Found
3488	Process not Found
5028	Process not Found
2432	Process not Found
3356	Process not Found
8	Process not Found
1000	Process not Found
1408	Process not Found
568	Process not Found
3036	Process not Found
3176	Process not Found
3940	Process not Found
4336	Process not Found
680	Process not Found
6064	Process not Found
2408	Process not Found
5152	Process not Found
3960	Process not Found
5612	Process not Found
2288	Process not Found
948	Process not Found
6028	Process not Found
5752	Process not Found
3320	Process not Found
5728	Process not Found
5680	Process not Found
4588	Process not Found
5424	Process not Found
2544	Process not Found
5212	Process not Found
3456	Process not Found
2864	Process not Found
6080	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe
3076	relog.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3280	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4312	svchostwit.exe
Token: SeSecurityPrivilege	4312	svchostwit.exe
Token: SeTakeOwnershipPrivilege	4312	svchostwit.exe
Token: SeLoadDriverPrivilege	4312	svchostwit.exe
Token: SeSystemProfilePrivilege	4312	svchostwit.exe
Token: SeSystemtimePrivilege	4312	svchostwit.exe
Token: SeProfSingleProcessPrivilege	4312	svchostwit.exe
Token: SeIncBasePriorityPrivilege	4312	svchostwit.exe
Token: SeCreatePagefilePrivilege	4312	svchostwit.exe
Token: SeBackupPrivilege	4312	svchostwit.exe
Token: SeRestorePrivilege	4312	svchostwit.exe
Token: SeShutdownPrivilege	4312	svchostwit.exe
Token: SeDebugPrivilege	4312	svchostwit.exe
Token: SeSystemEnvironmentPrivilege	4312	svchostwit.exe
Token: SeRemoteShutdownPrivilege	4312	svchostwit.exe
Token: SeUndockPrivilege	4312	svchostwit.exe
Token: SeManageVolumePrivilege	4312	svchostwit.exe
Token: 33	4312	svchostwit.exe
Token: 34	4312	svchostwit.exe
Token: 35	4312	svchostwit.exe
Token: 36	4312	svchostwit.exe
Token: SeIncreaseQuotaPrivilege	1876	svchostwit.exe
Token: SeSecurityPrivilege	1876	svchostwit.exe
Token: SeTakeOwnershipPrivilege	1876	svchostwit.exe
Token: SeLoadDriverPrivilege	1876	svchostwit.exe
Token: SeSystemProfilePrivilege	1876	svchostwit.exe
Token: SeSystemtimePrivilege	1876	svchostwit.exe
Token: SeProfSingleProcessPrivilege	1876	svchostwit.exe
Token: SeIncBasePriorityPrivilege	1876	svchostwit.exe
Token: SeCreatePagefilePrivilege	1876	svchostwit.exe
Token: SeBackupPrivilege	1876	svchostwit.exe
Token: SeRestorePrivilege	1876	svchostwit.exe
Token: SeShutdownPrivilege	1876	svchostwit.exe
Token: SeDebugPrivilege	1876	svchostwit.exe
Token: SeSystemEnvironmentPrivilege	1876	svchostwit.exe
Token: SeRemoteShutdownPrivilege	1876	svchostwit.exe
Token: SeUndockPrivilege	1876	svchostwit.exe
Token: SeManageVolumePrivilege	1876	svchostwit.exe
Token: 33	1876	svchostwit.exe
Token: 34	1876	svchostwit.exe
Token: 35	1876	svchostwit.exe
Token: 36	1876	svchostwit.exe
Token: SeIncreaseQuotaPrivilege	2776	svchostwit.exe
Token: SeSecurityPrivilege	2776	svchostwit.exe
Token: SeTakeOwnershipPrivilege	2776	svchostwit.exe
Token: SeLoadDriverPrivilege	2776	svchostwit.exe
Token: SeSystemProfilePrivilege	2776	svchostwit.exe
Token: SeSystemtimePrivilege	2776	svchostwit.exe
Token: SeProfSingleProcessPrivilege	2776	svchostwit.exe
Token: SeIncBasePriorityPrivilege	2776	svchostwit.exe
Token: SeCreatePagefilePrivilege	2776	svchostwit.exe
Token: SeBackupPrivilege	2776	svchostwit.exe
Token: SeRestorePrivilege	2776	svchostwit.exe
Token: SeShutdownPrivilege	2776	svchostwit.exe
Token: SeDebugPrivilege	2776	svchostwit.exe
Token: SeSystemEnvironmentPrivilege	2776	svchostwit.exe
Token: SeRemoteShutdownPrivilege	2776	svchostwit.exe
Token: SeUndockPrivilege	2776	svchostwit.exe
Token: SeManageVolumePrivilege	2776	svchostwit.exe
Token: 33	2776	svchostwit.exe
Token: 34	2776	svchostwit.exe
Token: 35	2776	svchostwit.exe
Token: 36	2776	svchostwit.exe
Token: SeIncreaseQuotaPrivilege	2084	svchostwit.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3280	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 4312	3512	CryptoFactory.exe	199
PID 3512 wrote to memory of 4312	3512	CryptoFactory.exe	199
PID 3512 wrote to memory of 2320	3512	CryptoFactory.exe	83
PID 3512 wrote to memory of 2320	3512	CryptoFactory.exe	83
PID 3512 wrote to memory of 2320	3512	CryptoFactory.exe	83
PID 4312 wrote to memory of 992	4312	svchostwit.exe	287
PID 4312 wrote to memory of 992	4312	svchostwit.exe	287
PID 2320 wrote to memory of 1876	2320	CryptoFactory.exe	188
PID 2320 wrote to memory of 1876	2320	CryptoFactory.exe	188
PID 2320 wrote to memory of 4948	2320	CryptoFactory.exe	86
PID 2320 wrote to memory of 4948	2320	CryptoFactory.exe	86
PID 2320 wrote to memory of 4948	2320	CryptoFactory.exe	86
PID 1876 wrote to memory of 4580	1876	svchostwit.exe	352
PID 1876 wrote to memory of 4580	1876	svchostwit.exe	352
PID 4948 wrote to memory of 2776	4948	CryptoFactory.exe	89
PID 4948 wrote to memory of 2776	4948	CryptoFactory.exe	89
PID 4948 wrote to memory of 1688	4948	CryptoFactory.exe	371
PID 4948 wrote to memory of 1688	4948	CryptoFactory.exe	371
PID 4948 wrote to memory of 1688	4948	CryptoFactory.exe	371
PID 2776 wrote to memory of 2916	2776	svchostwit.exe	92
PID 2776 wrote to memory of 2916	2776	svchostwit.exe	92
PID 1688 wrote to memory of 2084	1688	CryptoFactory.exe	412
PID 1688 wrote to memory of 2084	1688	CryptoFactory.exe	412
PID 1688 wrote to memory of 1088	1688	CryptoFactory.exe	189
PID 1688 wrote to memory of 1088	1688	CryptoFactory.exe	189
PID 1688 wrote to memory of 1088	1688	CryptoFactory.exe	189
PID 1088 wrote to memory of 1700	1088	CryptoFactory.exe	95
PID 1088 wrote to memory of 1700	1088	CryptoFactory.exe	95
PID 1088 wrote to memory of 232	1088	CryptoFactory.exe	96
PID 1088 wrote to memory of 232	1088	CryptoFactory.exe	96
PID 1088 wrote to memory of 232	1088	CryptoFactory.exe	96
PID 2084 wrote to memory of 884	2084	svchostwit.exe	319
PID 2084 wrote to memory of 884	2084	svchostwit.exe	319
PID 1700 wrote to memory of 2912	1700	svchostwit.exe	99
PID 1700 wrote to memory of 2912	1700	svchostwit.exe	99
PID 232 wrote to memory of 5020	232	CryptoFactory.exe	192
PID 232 wrote to memory of 5020	232	CryptoFactory.exe	192
PID 232 wrote to memory of 3068	232	CryptoFactory.exe	500
PID 232 wrote to memory of 3068	232	CryptoFactory.exe	500
PID 232 wrote to memory of 3068	232	CryptoFactory.exe	500
PID 5020 wrote to memory of 3088	5020	svchostwit.exe	323
PID 5020 wrote to memory of 3088	5020	svchostwit.exe	323
PID 3068 wrote to memory of 3820	3068	CryptoFactory.exe	546
PID 3068 wrote to memory of 3820	3068	CryptoFactory.exe	546
PID 3068 wrote to memory of 904	3068	CryptoFactory.exe	625
PID 3068 wrote to memory of 904	3068	CryptoFactory.exe	625
PID 3068 wrote to memory of 904	3068	CryptoFactory.exe	625
PID 3820 wrote to memory of 944	3820	svchostwit.exe	383
PID 3820 wrote to memory of 944	3820	svchostwit.exe	383
PID 904 wrote to memory of 5084	904	CryptoFactory.exe	109
PID 904 wrote to memory of 5084	904	CryptoFactory.exe	109
PID 904 wrote to memory of 1480	904	CryptoFactory.exe	211
PID 904 wrote to memory of 1480	904	CryptoFactory.exe	211
PID 904 wrote to memory of 1480	904	CryptoFactory.exe	211
PID 5084 wrote to memory of 228	5084	svchostwit.exe	547
PID 5084 wrote to memory of 228	5084	svchostwit.exe	547
PID 1480 wrote to memory of 768	1480	CryptoFactory.exe	458
PID 1480 wrote to memory of 768	1480	CryptoFactory.exe	458
PID 1480 wrote to memory of 4448	1480	CryptoFactory.exe	611
PID 1480 wrote to memory of 4448	1480	CryptoFactory.exe	611
PID 1480 wrote to memory of 4448	1480	CryptoFactory.exe	611
PID 768 wrote to memory of 1512	768	svchostwit.exe	363
PID 768 wrote to memory of 1512	768	svchostwit.exe	363
PID 4448 wrote to memory of 3468	4448	CryptoFactory.exe	895

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
PID:3280
- C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
  "C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Users\Admin\AppData\Roaming\svchostwit.exe
    "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
      4⤵
      PID:992
  - - C:\Windows\system32\relog.exe
      C:\Windows\system32\relog.exe
      4⤵
      PID:4300
- - C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
    "CryptoFactory.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Roaming\svchostwit.exe
      "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1876
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        5⤵
        
        PID:4580
    - - C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        5⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
      "CryptoFactory.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        6⤵
        
        PID:2916
      - C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        6⤵
        
        PID:4472
    - - C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        7⤵
        
        PID:884
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        7⤵
        
        PID:3460
      - C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        8⤵
        
        PID:2912
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        8⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        9⤵
        
        PID:3088
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        9⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        10⤵
        
        PID:944
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        10⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        11⤵
        
        PID:228
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        11⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        12⤵
        
        PID:1512
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        12⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3468
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        13⤵
        
        PID:2212
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        13⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        12⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2812
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        14⤵
        
        PID:4344
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        14⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        13⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2356
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        15⤵
        
        PID:2072
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        15⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        14⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4292
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        16⤵
        
        PID:2360
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        16⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        15⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1384
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        17⤵
        
        PID:2596
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        17⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        16⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        18⤵
        
        PID:3216
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        18⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        17⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4800
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        19⤵
        
        PID:3232
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        19⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3144
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        20⤵
        
        PID:3964
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        20⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        19⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2800
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        21⤵
        
        PID:764
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        21⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        20⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4744
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        22⤵
        
        PID:4308
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        22⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        21⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        23⤵
        
        PID:1424
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        23⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        22⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        24⤵
        
        PID:568
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        24⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        23⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3928
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        25⤵
        
        PID:1224
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        25⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        24⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1020
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        26⤵
        
        PID:1556
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        26⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        25⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        27⤵
        
        PID:2052
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        27⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        26⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4016
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        28⤵
        
        PID:3560
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        28⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        27⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        29⤵
        
        PID:1844
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        29⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        28⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5020
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        30⤵
        
        PID:4472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4312
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        30⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        29⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1588
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        31⤵
        
        PID:392
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        31⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        30⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4584
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        32⤵
        
        PID:2772
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        32⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        31⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2332
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        33⤵
        
        PID:4032
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        33⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        32⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1480
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        34⤵
        
        PID:460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:4344
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        34⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        33⤵
        Executes dropped EXE
        
        PID:3412
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        35⤵
        
        PID:4300
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        35⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        34⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        35⤵
        Suspicious use of SetThreadContext
        
        PID:3408
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        36⤵
        
        PID:3088
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        36⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        36⤵
        Suspicious use of SetThreadContext
        
        PID:1880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        37⤵
        
        PID:3404
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        37⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        36⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        37⤵
        Suspicious use of SetThreadContext
        
        PID:2288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        38⤵
        
        PID:1392
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        38⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        37⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        38⤵
        Suspicious use of SetThreadContext
        
        PID:4740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        39⤵
        
        PID:3416
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        39⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        38⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        39⤵
        Suspicious use of SetThreadContext
        
        PID:2960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "" /sc onstart /f
        40⤵
        
        PID:3456
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        40⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        39⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        40⤵
        Suspicious use of SetThreadContext
        
        PID:1300
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        41⤵
        
        PID:4548
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        41⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        40⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        41⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4712
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        42⤵
        
        PID:4048
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        42⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        41⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        42⤵
        Suspicious use of SetThreadContext
        
        PID:2424
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        43⤵
        
        PID:4092
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        43⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        42⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        43⤵
        Suspicious use of SetThreadContext
        
        PID:5024
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        44⤵
        
        PID:764
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        44⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        43⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        44⤵
        Suspicious use of SetThreadContext
        
        PID:980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        45⤵
        
        PID:3604
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        45⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        44⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        45⤵
        Suspicious use of SetThreadContext
        
        PID:2084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        46⤵
        
        PID:552
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        46⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        45⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        46⤵
        Suspicious use of SetThreadContext
        
        PID:4544
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        47⤵
        
        PID:3144
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        47⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        46⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        47⤵
        Suspicious use of SetThreadContext
        
        PID:4840
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        48⤵
        
        PID:2112
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        48⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        47⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        48⤵
        Suspicious use of SetThreadContext
        
        PID:3920
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        49⤵
        
        PID:1080
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        49⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        48⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        49⤵
        Suspicious use of SetThreadContext
        
        PID:3356
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        50⤵
        
        PID:2032
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        50⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        49⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        50⤵
        Suspicious use of SetThreadContext
        
        PID:2188
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        51⤵
        
        PID:904
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        51⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        50⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        51⤵
        Suspicious use of SetThreadContext
        
        PID:1060
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        52⤵
        
        PID:3344
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        52⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        51⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        52⤵
        Suspicious use of SetThreadContext
        
        PID:4324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        53⤵
        
        PID:2044
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        53⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        52⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        53⤵
        Suspicious use of SetThreadContext
        
        PID:4952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        54⤵
        
        PID:3292
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        54⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        54⤵
        Suspicious use of SetThreadContext
        
        PID:884
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        55⤵
        
        PID:824
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        55⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        54⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        55⤵
        Suspicious use of SetThreadContext
        
        PID:3088
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        56⤵
        
        PID:3472
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        56⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        55⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        56⤵
        Suspicious use of SetThreadContext
        
        PID:3740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        57⤵
        
        PID:3456
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        57⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        56⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        57⤵
        Suspicious use of SetThreadContext
        
        PID:3600
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        58⤵
        
        PID:2228
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        58⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        57⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        58⤵
        Suspicious use of SetThreadContext
        
        PID:2960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        59⤵
        
        PID:2524
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        59⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        58⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        59⤵
        Suspicious use of SetThreadContext
        
        PID:1036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        60⤵
        
        PID:4292
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        60⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        59⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        60⤵
        Suspicious use of SetThreadContext
        
        PID:1828
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        61⤵
        
        PID:4580
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        61⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        60⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        61⤵
        Suspicious use of SetThreadContext
        
        PID:2640
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        62⤵
        
        PID:948
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        62⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        61⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        62⤵
        Suspicious use of SetThreadContext
        
        PID:1184
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        63⤵
        
        PID:1580
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        63⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        62⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        63⤵
        Suspicious use of SetThreadContext
        
        PID:1880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        64⤵
        
        PID:1688
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        64⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        63⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        64⤵
        Suspicious use of SetThreadContext
        
        PID:4048
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        65⤵
        
        PID:1624
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        65⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        64⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        65⤵
        Suspicious use of SetThreadContext
        
        PID:1684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        66⤵
        
        PID:4536
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        66⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        65⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        66⤵
        Suspicious use of SetThreadContext
        
        PID:552
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        67⤵
        
        PID:4708
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        67⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        66⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        67⤵
        
        PID:944
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        68⤵
        
        PID:1052
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        68⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        67⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        68⤵
        
        PID:1844
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        69⤵
        
        PID:4996
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        69⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        69⤵
        
        PID:4772
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        70⤵
        
        PID:4556
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        70⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        69⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        70⤵
        
        PID:1272
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        71⤵
        
        PID:3096
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        71⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        70⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        71⤵
        
        PID:1020
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        72⤵
        
        PID:2084
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        72⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        71⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        72⤵
        Adds Run key to start application
        
        PID:2736
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        73⤵
        
        PID:5032
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        73⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        72⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        73⤵
        
        PID:2248
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        74⤵
        
        PID:3964
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        74⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        73⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        74⤵
        
        PID:3568
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        75⤵
        
        PID:2216
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        75⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        74⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        75⤵
        
        PID:3928
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        76⤵
        
        PID:2044
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        76⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        75⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        76⤵
        Adds Run key to start application
        
        PID:1540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        77⤵
        
        PID:2540
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        77⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        76⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        77⤵
        
        PID:3124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        78⤵
        
        PID:1240
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        78⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        77⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        78⤵
        
        PID:4540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        79⤵
        
        PID:2376
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        79⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        78⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        79⤵
        
        PID:1044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        80⤵
        
        PID:1752
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        80⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        79⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        80⤵
        
        PID:4324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        81⤵
        
        PID:3864
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        81⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        80⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        81⤵
        Adds Run key to start application
        
        PID:4292
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        82⤵
        
        PID:4112
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        82⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        81⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        82⤵
        
        PID:2900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        83⤵
        
        PID:4948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:2436
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        83⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        82⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        83⤵
        
        PID:1688
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        84⤵
        
        PID:460
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        84⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        83⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        84⤵
        
        PID:4536
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        85⤵
        
        PID:1036
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        85⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        84⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        85⤵
        
        PID:3344
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        86⤵
        
        PID:2424
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        86⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        85⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        86⤵
        
        PID:4768
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        87⤵
        
        PID:4952
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        87⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        86⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        87⤵
        
        PID:1880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        88⤵
        
        PID:3216
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        88⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        87⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        88⤵
        
        PID:2312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        89⤵
        
        PID:1536
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        89⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        88⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        89⤵
        Adds Run key to start application
        
        PID:3068
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        90⤵
        
        PID:1372
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        90⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        89⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        90⤵
        
        PID:396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        91⤵
        
        PID:4580
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        91⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        90⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        91⤵
        
        PID:980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        92⤵
        
        PID:1364
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        92⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        91⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        92⤵
        
        PID:1488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        93⤵
        
        PID:4068
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        93⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        92⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        93⤵
        
        PID:3512
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        94⤵
        
        PID:452
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        94⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        93⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        94⤵
        
        PID:1368
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        95⤵
        
        PID:1860
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        95⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        94⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        95⤵
        
        PID:2524
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        96⤵
        
        PID:2360
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        96⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        95⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        96⤵
        Adds Run key to start application
        
        PID:4904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        97⤵
        
        PID:3568
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        97⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        96⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        97⤵
        
        PID:2256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        98⤵
        
        PID:2772
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        98⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        97⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        98⤵
        
        PID:2736
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        99⤵
        
        PID:228
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        99⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        98⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        99⤵
        
        PID:400
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        100⤵
        
        PID:1080
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        100⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        99⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        100⤵
        
        PID:3564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        101⤵
        
        PID:3184
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        101⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        100⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        101⤵
        
        PID:4596
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        102⤵
        
        PID:3804
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        102⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        101⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        102⤵
        
        PID:4136
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        103⤵
        
        PID:4404
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        103⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        102⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        103⤵
        
        PID:1300
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        104⤵
        
        PID:1580
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        104⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        103⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        104⤵
        
        PID:4740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        105⤵
        
        PID:1464
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        105⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        104⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        105⤵
        
        PID:1324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        106⤵
        
        PID:3140
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        106⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        105⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        106⤵
        
        PID:2968
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        107⤵
        
        PID:2340
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        107⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        106⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        107⤵
        
        PID:3196
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        108⤵
        
        PID:4292
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        108⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        107⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        108⤵
        
        PID:4516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        109⤵
        
        PID:4072
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        109⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        108⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        109⤵
        
        PID:4160
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        110⤵
        
        PID:2228
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        110⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        109⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        110⤵
        
        PID:3416
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        111⤵
        
        PID:1208
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        111⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        110⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        111⤵
        Adds Run key to start application
        
        PID:1536
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        112⤵
        
        PID:2464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4448
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        112⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        111⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        112⤵
        
        PID:4816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        113⤵
        
        PID:2112
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        113⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        112⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        113⤵
        
        PID:2860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        114⤵
        
        PID:1460
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        114⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        113⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        114⤵
        
        PID:1364
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        115⤵
        
        PID:824
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        115⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        114⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        115⤵
        
        PID:3680
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        116⤵
        
        PID:2308
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        116⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        115⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        116⤵
        
        PID:904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        117⤵
        
        PID:1860
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        117⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        116⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        117⤵
        
        PID:2032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        118⤵
        
        PID:4808
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        118⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        117⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        118⤵
        
        PID:4544
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        119⤵
        
        PID:2488
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        119⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        118⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        119⤵
        
        PID:396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        120⤵
        
        PID:4724
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        120⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:132
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        120⤵
        
        PID:3168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        121⤵
        
        PID:2292
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        121⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        120⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        121⤵
        
        PID:1036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        122⤵
        
        PID:2232
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        122⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        121⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        122⤵
        
        PID:4904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        123⤵
        
        PID:4840
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        123⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        122⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        123⤵
        
        PID:3736
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        124⤵
        
        PID:4696
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        124⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        123⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        124⤵
        
        PID:2960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        125⤵
        
        PID:916
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        125⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        124⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        125⤵
        
        PID:4960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        126⤵
        
        PID:4812
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        126⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        125⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        126⤵
        
        PID:132
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        127⤵
        
        PID:2528
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        127⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        126⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        127⤵
        
        PID:844
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        128⤵
        
        PID:400
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        128⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        127⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        128⤵
        
        PID:1876
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        129⤵
        
        PID:1796
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        129⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        128⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        129⤵
        
        PID:460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        130⤵
        
        PID:3124
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        130⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        129⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        130⤵
        
        PID:2484
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        131⤵
        
        PID:2524
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        131⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        130⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        131⤵
        
        PID:2420
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        132⤵
        
        PID:3040
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        132⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        131⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        132⤵
        
        PID:3312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        133⤵
        
        PID:1752
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        133⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        132⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        133⤵
        
        PID:1540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        134⤵
        
        PID:2968
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        134⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        133⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        134⤵
        
        PID:2256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        135⤵
        
        PID:784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        136⤵
        
        PID:4768
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        135⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        134⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        135⤵
        
        PID:1080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        136⤵
        
        PID:4744
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        136⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        135⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        136⤵
        
        PID:3216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        137⤵
        
        PID:568
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        137⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        136⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        137⤵
        
        PID:5032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        138⤵
        
        PID:944
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        138⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        137⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        138⤵
        
        PID:2664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        139⤵
        
        PID:1724
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        139⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        138⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        139⤵
        
        PID:2288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        140⤵
        
        PID:1500
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        140⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        139⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        140⤵
        
        PID:676
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        141⤵
        
        PID:1584
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        141⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        140⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        141⤵
        
        PID:1912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        142⤵
        
        PID:3356
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        142⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        142⤵
        
        PID:2240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        143⤵
        
        PID:3348
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        143⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        142⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        143⤵
        
        PID:4384
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        144⤵
        
        PID:5084
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        144⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        143⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        144⤵
        
        PID:1908
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        145⤵
        
        PID:396
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        145⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        144⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        145⤵
        
        PID:916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        146⤵
        
        PID:3468
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        146⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        145⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        146⤵
        
        PID:532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        147⤵
        
        PID:4712
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        147⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        147⤵
        
        PID:2104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        148⤵
        
        PID:5100
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        148⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        147⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        148⤵
        
        PID:3600
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        149⤵
        
        PID:1796
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        149⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        148⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        149⤵
        
        PID:3928
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        150⤵
        
        PID:948
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        150⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        149⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        150⤵
        
        PID:4716
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        151⤵
        
        PID:4136
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        151⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        150⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        151⤵
        
        PID:740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        152⤵
        
        PID:4544
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        152⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        151⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        152⤵
        
        PID:3484
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        153⤵
        
        PID:2584
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        153⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        152⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        153⤵
        
        PID:224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        154⤵
        
        PID:3136
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        154⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        154⤵
        
        PID:3040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        155⤵
        
        PID:3096
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        155⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        154⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        155⤵
        Adds Run key to start application
        
        PID:4000
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        156⤵
        
        PID:1880
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        156⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        155⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        156⤵
        
        PID:5096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        157⤵
        
        PID:552
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        157⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        156⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        157⤵
        
        PID:2644
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        158⤵
        
        PID:1424
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        158⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        157⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        158⤵
        
        PID:4900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        159⤵
        
        PID:568
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        159⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        159⤵
        
        PID:2332
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        160⤵
        
        PID:420
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        160⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        159⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        160⤵
        
        PID:4324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        161⤵
        
        PID:1272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        162⤵
        
        PID:4800
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        161⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        160⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        161⤵
        
        PID:1884
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        162⤵
        
        PID:1620
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        162⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        161⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        162⤵
        
        PID:2532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        163⤵
        
        PID:2960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:3356
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        163⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        162⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        163⤵
        
        PID:4160
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        164⤵
        
        PID:4804
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        164⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        163⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        164⤵
        Adds Run key to start application
        
        PID:4308
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        165⤵
        
        PID:4960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        166⤵
        
        PID:1384
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        165⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        164⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        165⤵
        
        PID:1208
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        166⤵
        
        PID:2116
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        166⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        165⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        166⤵
        
        PID:4348
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        167⤵
        
        PID:4808
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        167⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        166⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        167⤵
        
        PID:824
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        168⤵
        
        PID:2716
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        168⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        167⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        168⤵
        Adds Run key to start application
        
        PID:1536
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        169⤵
        
        PID:1052
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        169⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        168⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        169⤵
        
        PID:2944
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        170⤵
        
        PID:2664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2768
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        170⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        169⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        170⤵
        
        PID:2900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        171⤵
        
        PID:2692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        172⤵
        
        PID:3404
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        171⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        170⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        171⤵
        
        PID:2320
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        172⤵
        
        PID:3184
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        172⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        171⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        172⤵
        
        PID:4368
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        173⤵
        
        PID:2684
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        173⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        172⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        173⤵
        
        PID:4072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        174⤵
        
        PID:784
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        174⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        174⤵
        
        PID:4516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        175⤵
        
        PID:740
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        175⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        174⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        175⤵
        
        PID:4816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        176⤵
        
        PID:4704
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        176⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        175⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        176⤵
        
        PID:3456
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        177⤵
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        178⤵
        
        PID:4948
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        177⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        176⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        177⤵
        
        PID:2824
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        178⤵
        
        PID:1372
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        178⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        177⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        178⤵
        
        PID:2104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        179⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        179⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        178⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        179⤵
        
        PID:3412
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        180⤵
        
        PID:2524
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        180⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        179⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        180⤵
        
        PID:4572
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        181⤵
        
        PID:2212
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        181⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        180⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        181⤵
        Adds Run key to start application
        
        PID:1636
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        182⤵
        
        PID:1584
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        182⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        181⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        182⤵
        
        PID:1220
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        183⤵
        
        PID:980
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        183⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        182⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        183⤵
        
        PID:3400
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        184⤵
        
        PID:1100
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        184⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        183⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        184⤵
        
        PID:1956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        185⤵
        
        PID:3384
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        185⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        184⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        185⤵
        
        PID:4804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        186⤵
        
        PID:1184
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        186⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        185⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        186⤵
        
        PID:4016
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        187⤵
        
        PID:1368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:3864
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        187⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        186⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        187⤵
        
        PID:4868
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        188⤵
        
        PID:4308
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        188⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        187⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        188⤵
        
        PID:904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        189⤵
        
        PID:1828
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        189⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        188⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        189⤵
        
        PID:3124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        190⤵
        
        PID:3928
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        190⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        189⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        190⤵
        
        PID:3428
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        191⤵
        
        PID:228
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        191⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        190⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        191⤵
        
        PID:3536
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        192⤵
        
        PID:3468
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        192⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        191⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        192⤵
        
        PID:2332
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        193⤵
        
        PID:2420
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        193⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        192⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        193⤵
        
        PID:2532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        194⤵
        
        PID:2032
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        194⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        193⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        194⤵
        
        PID:3820
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        195⤵
        
        PID:2248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        196⤵
        
        PID:3360
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        195⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        194⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        195⤵
        
        PID:2544
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        196⤵
        
        PID:1396
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        196⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        195⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        196⤵
        
        PID:3484
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        197⤵
        
        PID:1688
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        197⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        196⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        197⤵
        
        PID:4060
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        198⤵
        
        PID:1876
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        198⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        197⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        198⤵
        
        PID:400
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        199⤵
        
        PID:5096
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        199⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        198⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        199⤵
        
        PID:4756
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        200⤵
        
        PID:2308
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        200⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        199⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        200⤵
        
        PID:3456
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        201⤵
        
        PID:1644
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        201⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        200⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        201⤵
        
        PID:1860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        202⤵
        
        PID:596
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        202⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        202⤵
        
        PID:2912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        203⤵
        
        PID:2464
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        203⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        202⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        203⤵
        
        PID:1588
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        204⤵
        
        PID:3056
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        204⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        203⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        204⤵
        
        PID:1684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        205⤵
        
        PID:1220
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        205⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        204⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        205⤵
        
        PID:3232
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        206⤵
        
        PID:2824
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        206⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        205⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        206⤵
        
        PID:2540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        207⤵
        
        PID:568
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        207⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        206⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        207⤵
        
        PID:4544
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        208⤵
        
        PID:2664
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        208⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        207⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        208⤵
        
        PID:3564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        209⤵
        
        PID:4348
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        209⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        208⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        209⤵
        
        PID:4292
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        210⤵
        
        PID:2860
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        210⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        209⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        210⤵
        
        PID:552
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        211⤵
        
        PID:1552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        212⤵
        
        PID:2356
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        211⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        210⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        211⤵
        
        PID:3960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        212⤵
        
        PID:952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:1088
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        212⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        211⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        212⤵
        
        PID:2196
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        213⤵
        
        PID:2044
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        213⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        212⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        213⤵
        
        PID:4336
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        214⤵
        
        PID:1464
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        214⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        213⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        214⤵
        
        PID:452
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        215⤵
        
        PID:1100
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        215⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        214⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        215⤵
        
        PID:2288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        216⤵
        
        PID:2596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:4308
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        216⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        215⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        216⤵
        
        PID:1996
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        217⤵
        
        PID:5020
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        217⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        216⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        217⤵
        
        PID:1976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        218⤵
        
        PID:4764
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        218⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        217⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        218⤵
        
        PID:3384
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        219⤵
        
        PID:948
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        219⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        218⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        219⤵
        
        PID:1880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        220⤵
        
        PID:2544
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        220⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        219⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        220⤵
        
        PID:3964
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        221⤵
        
        PID:3412
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        221⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        220⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        221⤵
        
        PID:676
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        222⤵
        
        PID:1240
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        222⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        221⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        222⤵
        
        PID:2420
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        223⤵
        
        PID:3440
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        223⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        222⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        223⤵
        
        PID:2664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        224⤵
        
        PID:8
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        224⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        223⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        224⤵
        
        PID:4796
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        225⤵
        
        PID:2768
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        225⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        224⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        225⤵
        
        PID:3456
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        226⤵
        
        PID:3416
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        226⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        225⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        226⤵
        
        PID:3216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        227⤵
        
        PID:3700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        228⤵
        
        PID:4584
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        227⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        226⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        227⤵
        
        PID:2532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        228⤵
        
        PID:5024
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        228⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        227⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        228⤵
        
        PID:1208
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        229⤵
        
        PID:3564
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        229⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        228⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        229⤵
        
        PID:1552
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        230⤵
        
        PID:2248
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        230⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        229⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        230⤵
        
        PID:2688
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        231⤵
        
        PID:1424
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        231⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        230⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        231⤵
        
        PID:4180
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        232⤵
        
        PID:3088
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        232⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        231⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        232⤵
        
        PID:3400
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        233⤵
        
        PID:340
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        233⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        232⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        233⤵
        
        PID:1040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        234⤵
        
        PID:4828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3736
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        234⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        233⤵
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        234⤵
        
        PID:3516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        235⤵
        
        PID:224
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        235⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        234⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        235⤵
        
        PID:3444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        236⤵
        
        PID:944
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        236⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        235⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        236⤵
        
        PID:4160
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        237⤵
        
        PID:1080
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        237⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        236⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        237⤵
        
        PID:3144
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        238⤵
        
        PID:5032
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        238⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        237⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        238⤵
        
        PID:1884
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        239⤵
        
        PID:2716
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        239⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        238⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        239⤵
        
        PID:4952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        240⤵
        
        PID:3184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:3604
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        240⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        239⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        240⤵
        
        PID:3168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        241⤵
        
        PID:1184
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        241⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        240⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        241⤵
        
        PID:2216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        242⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        241⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        242⤵
        
        PID:1788
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        243⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        242⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        243⤵
        
        PID:4712
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        244⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        243⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        244⤵
        
        PID:2232
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        245⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        244⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        245⤵
        
        PID:2968
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        246⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        245⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        246⤵
        
        PID:916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        247⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        246⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        247⤵
        
        PID:2916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        248⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        248⤵
        
        PID:4564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        249⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        248⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        249⤵
        Adds Run key to start application
        
        PID:4092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        250⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        249⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        250⤵
        
        PID:2332
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        251⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        250⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        251⤵
        
        PID:3040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        252⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        251⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        252⤵
        
        PID:4016
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        253⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        252⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        253⤵
        
        PID:684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{3C0674A14F4D291931458}\{3C0674A14F4D291931458}.exe" /sc onstart /f
        254⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        253⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        254⤵
        
        PID:2084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        255⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        254⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        255⤵
        
        PID:5032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{0BE445E7C5632545466276}\{0BE445E7C5632545466276}.exe" /sc onstart /f
        256⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        255⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        256⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe
        
        "CryptoFactory.exe"
        256⤵
        
        PID:1620

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:2112

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
PID:2308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2227988167-2813779459-4240799794-1000\DDDDDDDDDDD

Filesize
129B

MD5
b305e214777aa0ce038aa94b21dd122b

SHA1
9326732b5225a990566cd91e37b6b775161ffabe

SHA256
16ca8e085742118fc3acc2ecf69508b418aa24325bc443f8895756b74b57204a

SHA512
68c59c289776a9b034131cc9a1032ed953b1b75caa4093e5f1a1076f0a155787e41965d95f9731a62d25150c4b45e3931169c0292790702cf791f5bccb753a52

Download Submit
C:\HdbtqCuyh.README.txt

Filesize
980B

MD5
751940dccf55d21d7dcb7b8e614154d9

SHA1
5ef19237b4aaede4e95992356b2ec1481c1d8253

SHA256
875eafed5ef1785ec9cbd071d039aea59a1cfee0b62a0105d9b57118860ceac5

SHA512
afcfb8806c17fcdf1e1160a92719a79617ce4c4f6339c412bfaa3cfade6d290e2ecc936bec9f30b631ecef304744caa2e2a1a3f89e4e4e0f705fe6882e3236ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\14C4.tmp.Ice.exe

Filesize
498KB

MD5
601c25496c92e86210fc4351e46b9f5c

SHA1
8ab9bf21aa3e8257a1fcf0341f5f9362f8ca0466

SHA256
ff8f55d4715752aec71f60d00612e36b172708d3fa61c5e131f96966f0dd5017

SHA512
09c1c466bb89e3873fd7e51e7cb1b36c18a916143f1ebd93a22070d9115eb6d6fa137987205adb09928260f097d57dfba405e70d9422bc0bbb925905f827102e

Download Submit
C:\Users\Admin\AppData\Local\Temp\16E8.tmp.uIZtAux.exe

Filesize
300KB

MD5
8d14c4ba7260c61ecde30d97fd3c124a

SHA1
f60a7243a5160ff0dd60c37e1de43b81cead3549

SHA256
6985ec7f67fabd26633c991be04ce5f899224a56bb078ba186b4be21f9e4714d

SHA512
b068decea7ec68d2b4347493d9e4b8cc4fb0c3c5f5ecc2a52be6eb35d28e75d3de1636efe0b67cce825e8d08d3fb82d137b1d6eb1225662fb8c3dff9616dcc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B5D.tmp.Setup.exe

Filesize
439KB

MD5
95d8ef6aaeae33dae91636b2bde473b8

SHA1
6e79574a1fd0af774f985b3fcf646039d30cc7e8

SHA256
05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767

SHA512
2982681c763db9dc3af710db4d8ba260d8c5591a37a9df13529a4e7a0a08cfd7fd6dbde5c6922b69baeeaf3222212a6697cf961304ec386e1dd5f5b022e13061

Download Submit
C:\Users\Admin\AppData\Local\Temp\62C7.tmp.schuste.exe

Filesize
5.5MB

MD5
115988cec15bcf0adc3b6a4f100b1b24

SHA1
fad2f118c730f012592ff6e81c9474e90c8eaccc

SHA256
14ace92094ef406bb2b9b8b49d63453896789a2eeb355d4eda0fd747577b60f2

SHA512
3474742c32a2d9e53cf179a229f2c67189049b49fcccb8778e26b9dccf8ff4e96567a28907ab171b5e7bacf51412ea07bca6850c5e3ebda87ad7bcef94025138

Download Submit
C:\Users\Admin\AppData\Local\Temp\68A4.tmp.nmi.exe

Filesize
47KB

MD5
67e32a73f545f56e1292d6b318f8e3c4

SHA1
96ca16f9a5b6e359f0dccfa0d6c7532ff047da09

SHA256
07d35c2c242d2c2a7bbf3d70315f7679c90b3f5a32b2ff542fdfca8a0b9cb4c8

SHA512
5ab019270b836231ba7f8b9a5c60bececc02a461f8978424708c7d8460c09347a5a8a1a3ee3b2b54f87a4faf0a4216c9d5e9ccf06dddd932fb93195a4c0df644

Download Submit
C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe

Filesize
6.0MB

MD5
606d9403c952670ed0566c1d1bce5dc8

SHA1
179b8c773a470d6e273808e8b25482810e90efcd

SHA256
dffa9b80560b0d59cfce787ef033857edc141646a1496b0cf50a00b1a5b03078

SHA512
ecbe8bf0eda38d1cb1cdecf03be58edb1f34b7cb3a17d60d98cabbc7b55429a1b3a69fbca380388f8e8f9de82620047c423464df8190dcc2211f795170c36299

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDD

Filesize
439KB

MD5
705c83d38a06d31561ba4146ee1d57e4

SHA1
63fd8d0ff89543404b76497d1a60aa47dc20590a

SHA256
aed84a1c0f3976e119eeba0bdc7a769d26ce32b41f58faa16080054c6b328bd8

SHA512
e969653dba2a03a57351fe4b0642bb6c5201107646d67d2d17e05d5d97e2ebc0eecadba47cc755e1f7233228376d2dde778dd10b1ac2d08b3921c806401bf34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemUpdate.exe

Filesize
150KB

MD5
0b0e1ba4c83b34b77299bb0dadc867d0

SHA1
1faea11c874a8b8d19589419a315dabfeaf40543

SHA256
54c5d8f3f6cbd12ed0f82f6876b6c2d1358b1940d475c2fdd6c110ca1bcf8377

SHA512
be7afd507dc024739b61537d722a1b9cc6e804a2ecca2656ece09df58616b11685833d9fcff2029004e5bc4c9a968feb0dc052c828afe9cb3f19861c386dac77

Download Submit
C:\Users\Admin\AppData\Roaming\svchostwit.exe

Filesize
322KB

MD5
2a9ca96a774697399b7b112be1a2ec3c

SHA1
da98d372a0c138805d947a436a9b41781e61fd20

SHA256
773b7430b45b6c8d03ff3ca60ba642c62626cc570daf86cd5dcd40cd0678eaf1

SHA512
820164990929710ae93309f39309e9614fb198d3b7335b8fde4c52d84640abd9c73b8e69601c6714fec9471dff1653387204401e6841cb42965266d49d6aff38

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
96811ee52b8035587022107680f1deb5

SHA1
3406b1c7395a8ef2eda8042b057692aeb9e0609a

SHA256
594275934040bf4a5e1a1af2f38425012a981a665887352c312f6cc5a227daa5

SHA512
6621c4c16f0d99638e13d1ccd914fce036a072334b1c1824b67e802ede1a340c10e14e99a100cc9b9b626c60c99ce1d7bca3ef5963f9f403ce29c8fe88131d3e

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
1530b50aac226cd50815c69326517e51

SHA1
e97855298b61d8a5b6cf2450a990d5cbc40c6aa4

SHA256
1c1eab02470f70f1067cc91ae1506955f2cd92eac3afac8eb3592cc718c2cab3

SHA512
c66ee426b16c2ab3439617774b914dd279351b4c3dc14e16d6e7cdb11cd0cf0d3346df87a315f5a0de885522e3bfdcc2513e73f2d01cf0e5f13f77f7facdb432

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2227988167-2813779459-4240799794-1000\DDDDDDDDDDD

Filesize
129B

MD5
26f1296dbfbb9ae5e9f76a0b78136a86

SHA1
e6e2e004522f8fb70328eea1d8d2be509d5de34a

SHA256
2b4f146032b53192b44c2e4a2108a7855c5a6a0c47e3f7e6d777544bebb4bce2

SHA512
79f7c113e607d42127246ce619de1e6a0c53209268b3680ee061c5080783e83d0e19df0239336f65d2c3e907915046f7090d08665d4dc8ce517dddc008889a97

Download Submit
memory/396-177-0x00007FF732660000-0x00007FF7326B6000-memory.dmp

Filesize
344KB

Download
memory/452-105-0x00007FF653250000-0x00007FF6532A6000-memory.dmp

Filesize
344KB

Download
memory/532-246-0x00007FF6B4F80000-0x00007FF6B4FD6000-memory.dmp

Filesize
344KB

Download
memory/596-198-0x00007FF6A4320000-0x00007FF6A4376000-memory.dmp

Filesize
344KB

Download
memory/676-159-0x00007FF78C8E0000-0x00007FF78C936000-memory.dmp

Filesize
344KB

Download
memory/684-131-0x00007FF618E80000-0x00007FF618ED6000-memory.dmp

Filesize
344KB

Download
memory/884-103-0x00007FF6FBCB0000-0x00007FF6FBD06000-memory.dmp

Filesize
344KB

Download
memory/952-137-0x00007FF6B83D0000-0x00007FF6B8426000-memory.dmp

Filesize
344KB

Download
memory/960-122-0x00007FF66A8F0000-0x00007FF66A946000-memory.dmp

Filesize
344KB

Download
memory/992-163-0x00007FF6E9240000-0x00007FF6E9296000-memory.dmp

Filesize
344KB

Download
memory/1080-271-0x00007FF648900000-0x00007FF648956000-memory.dmp

Filesize
344KB

Download
memory/1088-110-0x00007FF696C00000-0x00007FF696C56000-memory.dmp

Filesize
344KB

Download
memory/1184-165-0x00007FF6AB600000-0x00007FF6AB656000-memory.dmp

Filesize
344KB

Download
memory/1312-180-0x00007FF774BC0000-0x00007FF774C16000-memory.dmp

Filesize
344KB

Download
memory/1364-193-0x00007FF7FA6E0000-0x00007FF7FA736000-memory.dmp

Filesize
344KB

Download
memory/1396-255-0x00007FF7784F0000-0x00007FF778546000-memory.dmp

Filesize
344KB

Download
memory/1500-147-0x00007FF659760000-0x00007FF6597B6000-memory.dmp

Filesize
344KB

Download
memory/1512-189-0x00007FF793850000-0x00007FF7938A6000-memory.dmp

Filesize
344KB

Download
memory/1576-258-0x00007FF672EB0000-0x00007FF672F06000-memory.dmp

Filesize
344KB

Download
memory/1580-188-0x00007FF6D3C40000-0x00007FF6D3C96000-memory.dmp

Filesize
344KB

Download
memory/1588-269-0x00007FF77C3F0000-0x00007FF77C446000-memory.dmp

Filesize
344KB

Download
memory/1588-244-0x00007FF63D840000-0x00007FF63D896000-memory.dmp

Filesize
344KB

Download
memory/1616-223-0x00007FF74E860000-0x00007FF74E8B6000-memory.dmp

Filesize
344KB

Download
memory/1768-185-0x00007FF65C380000-0x00007FF65C3D6000-memory.dmp

Filesize
344KB

Download
memory/2004-162-0x00007FF7128C0000-0x00007FF712916000-memory.dmp

Filesize
344KB

Download
memory/2052-245-0x00007FF6CF820000-0x00007FF6CF876000-memory.dmp

Filesize
344KB

Download
memory/2212-160-0x00007FF727EA0000-0x00007FF727EF6000-memory.dmp

Filesize
344KB

Download
memory/2216-224-0x00007FF640650000-0x00007FF6406A6000-memory.dmp

Filesize
344KB

Download
memory/2228-120-0x00007FF6200E0000-0x00007FF620136000-memory.dmp

Filesize
344KB

Download
memory/2232-262-0x00007FF6EA5A0000-0x00007FF6EA5F6000-memory.dmp

Filesize
344KB

Download
memory/2240-219-0x00007FF668140000-0x00007FF668196000-memory.dmp

Filesize
344KB

Download
memory/2292-210-0x00007FF78BEA0000-0x00007FF78BEF6000-memory.dmp

Filesize
344KB

Download
memory/2340-173-0x00007FF7A85E0000-0x00007FF7A8636000-memory.dmp

Filesize
344KB

Download
memory/2424-238-0x00007FF7FB570000-0x00007FF7FB5C6000-memory.dmp

Filesize
344KB

Download
memory/2464-179-0x00007FF681860000-0x00007FF6818B6000-memory.dmp

Filesize
344KB

Download
memory/2540-226-0x00007FF7CCE30000-0x00007FF7CCE86000-memory.dmp

Filesize
344KB

Download
memory/2544-264-0x00007FF7AA440000-0x00007FF7AA496000-memory.dmp

Filesize
344KB

Download
memory/2668-31795-0x0000000000150000-0x00000000001D2000-memory.dmp

Filesize
520KB

Download
memory/2684-111-0x00007FF6298C0000-0x00007FF629916000-memory.dmp

Filesize
344KB

Download
memory/2944-270-0x00007FF6D4820000-0x00007FF6D4876000-memory.dmp

Filesize
344KB

Download
memory/2948-209-0x00007FF787840000-0x00007FF787896000-memory.dmp

Filesize
344KB

Download
memory/2980-178-0x00007FF6891A0000-0x00007FF6891F6000-memory.dmp

Filesize
344KB

Download
memory/3136-233-0x00007FF65A6B0000-0x00007FF65A706000-memory.dmp

Filesize
344KB

Download
memory/3148-31828-0x00000000052E0000-0x00000000053EA000-memory.dmp

Filesize
1.0MB

Download
memory/3148-31826-0x0000000006020000-0x0000000006638000-memory.dmp

Filesize
6.1MB

Download
memory/3148-35558-0x00000000091F0000-0x000000000971C000-memory.dmp

Filesize
5.2MB

Download
memory/3148-35557-0x0000000008AF0000-0x0000000008CB2000-memory.dmp

Filesize
1.8MB

Download
memory/3148-31817-0x0000000004F40000-0x0000000004FD2000-memory.dmp

Filesize
584KB

Download
memory/3148-35030-0x0000000006890000-0x00000000068E0000-memory.dmp

Filesize
320KB

Download
memory/3148-34981-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/3148-31835-0x0000000005250000-0x000000000529C000-memory.dmp

Filesize
304KB

Download
memory/3148-31830-0x0000000005210000-0x000000000524C000-memory.dmp

Filesize
240KB

Download
memory/3148-31829-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/3148-31814-0x0000000000520000-0x0000000000572000-memory.dmp

Filesize
328KB

Download
memory/3148-31824-0x0000000004F00000-0x0000000004F0A000-memory.dmp

Filesize
40KB

Download
memory/3148-31815-0x0000000005450000-0x00000000059F6000-memory.dmp

Filesize
5.6MB

Download
memory/3196-250-0x00007FF723DE0000-0x00007FF723E36000-memory.dmp

Filesize
344KB

Download
memory/3408-235-0x00007FF647EE0000-0x00007FF647F36000-memory.dmp

Filesize
344KB

Download
memory/3460-129-0x00007FF61BEA0000-0x00007FF61BEF6000-memory.dmp

Filesize
344KB

Download
memory/3460-99-0x00007FF670820000-0x00007FF670876000-memory.dmp

Filesize
344KB

Download
memory/3680-215-0x00007FF6E5120000-0x00007FF6E5176000-memory.dmp

Filesize
344KB

Download
memory/3740-166-0x00007FF65FD30000-0x00007FF65FD86000-memory.dmp

Filesize
344KB

Download
memory/4300-100-0x00007FF74E100000-0x00007FF74E156000-memory.dmp

Filesize
344KB

Download
memory/4368-220-0x00007FF701BF0000-0x00007FF701C46000-memory.dmp

Filesize
344KB

Download
memory/4472-97-0x00007FF6C57E0000-0x00007FF6C5836000-memory.dmp

Filesize
344KB

Download
memory/4472-201-0x00007FF77FF00000-0x00007FF77FF56000-memory.dmp

Filesize
344KB

Download
memory/4544-241-0x00007FF7F07F0000-0x00007FF7F0846000-memory.dmp

Filesize
344KB

Download
memory/4548-128-0x00007FF6758A0000-0x00007FF6758F6000-memory.dmp

Filesize
344KB

Download
memory/4596-141-0x00007FF600C30000-0x00007FF600C86000-memory.dmp

Filesize
344KB

Download
memory/4768-197-0x00007FF693700000-0x00007FF693756000-memory.dmp

Filesize
344KB

Download
memory/4768-125-0x00007FF7EAEE0000-0x00007FF7EAF36000-memory.dmp

Filesize
344KB

Download
memory/4808-278-0x00007FF7A20F0000-0x00007FF7A2146000-memory.dmp

Filesize
344KB

Download
memory/4808-152-0x00007FF666880000-0x00007FF6668D6000-memory.dmp

Filesize
344KB

Download
memory/4932-183-0x00007FF7D2E00000-0x00007FF7D2E56000-memory.dmp

Filesize
344KB

Download
memory/4940-206-0x00007FF6D87B0000-0x00007FF6D8806000-memory.dmp

Filesize
344KB

Download
memory/4952-261-0x00007FF66A760000-0x00007FF66A7B6000-memory.dmp

Filesize
344KB

Download
memory/4960-130-0x00007FF7C8B50000-0x00007FF7C8BA6000-memory.dmp

Filesize
344KB

Download
memory/5096-148-0x00007FF6A21D0000-0x00007FF6A2226000-memory.dmp

Filesize
344KB

Download
memory/5344-30967-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/5344-31069-0x0000000004FC0000-0x000000000505C000-memory.dmp

Filesize
624KB

Download