asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
264s
max time network
361s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-11-2024 22:33

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

database

86.234.237.85:4782

Mutex

6f01bdde-f654-4a13-8435-03f5c516c5db

Attributes

encryption_key
65940F11374651C87E8131C4328E542AEFE6F05D
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
Runtime Broker

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

newwwwwwwwwwwwwwwwww

185.16.38.41:2033

185.16.38.41:2034

185.16.38.41:2035

185.16.38.41:2022

185.16.38.41:2023

185.16.38.41:2024

185.16.38.41:20000

185.16.38.41:6666

Mutex

AsyncMutex_XXXX765643

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

62.113.117.95:5665

Mutex

oQNXB2TbsZoFMnfW

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

sound-vietnam.gl.at.ply.gg:52575

Attributes

Install_directory
%LocalAppData%
install_file
Terraria-Multiplayer-Fix-Online.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

91.92.243.191:5401

Mutex

fce41024-0e2f-475b-929b-e58a126341bd

Attributes

encryption_key
802CAE367B042C840DD4E29539BB1BFEC16FB48A
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
vchost32
subdirectory
SubDir

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

62.113.117.95:4449

Mutex

hwelcvbupaqfzors

Attributes

delay
10
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x001900000002ab31-6049.dat	family_xworm
behavioral1/memory/5036-6175-0x0000000000FC0000-0x0000000001010000-memory.dmp	family_xworm
behavioral1/files/0x001c00000002ab56-6228.dat	family_xworm
behavioral1/memory/3544-6233-0x0000000000DD0000-0x0000000000DE8000-memory.dmp	family_xworm

Detects Monster Stealer. 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x001c00000002a978-1587.dat	family_monster

Detects ZharkBot payload 3 IoCs

ZharkBot is a botnet written C++.

Processes:

resource	yara_rule
behavioral1/memory/3912-29-0x0000000000170000-0x00000000001C4000-memory.dmp	zharkcore
behavioral1/memory/3912-32-0x0000000000170000-0x00000000001C4000-memory.dmp	zharkcore
behavioral1/memory/3912-24-0x0000000000170000-0x00000000001C4000-memory.dmp	zharkcore

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Jigsaw family
jigsaw
Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
Monster family
monster
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x001c00000002a878-5151.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0003000000025709-106.dat	family_quasar
behavioral1/memory/4220-113-0x00000000001A0000-0x00000000004C4000-memory.dmp	family_quasar
behavioral1/files/0x002200000002a484-9719.dat	family_quasar
behavioral1/memory/2604-9726-0x0000000000640000-0x0000000000964000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 15 IoCs

Processes:

PURLOG.exe3013823666.exewinupsecvmgr.exe

description	pid	Process	procid_target
PID 3756 created 3284	3756	PURLOG.exe	52
PID 3756 created 3284	3756	PURLOG.exe	52
PID 3756 created 3284	3756	PURLOG.exe	52
PID 3756 created 3284	3756	PURLOG.exe	52
PID 3756 created 3284	3756	PURLOG.exe	52
PID 3756 created 3284	3756	PURLOG.exe	52
PID 3756 created 3284	3756	PURLOG.exe	52
PID 3756 created 3284	3756	PURLOG.exe	52
PID 784 created 3284	784	3013823666.exe	52
PID 784 created 3284	784	3013823666.exe	52
PID 5624 created 3284	5624	winupsecvmgr.exe	52
PID 5624 created 3284	5624	winupsecvmgr.exe	52
PID 5624 created 3284	5624	winupsecvmgr.exe	52
PID 2136 created 3284	2136		52
PID 2136 created 3284	2136		52

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
ZharkBot
ZharkBot is a botnet written C++.
botnet zharkbot
Zharkbot family
zharkbot

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x001d00000002ab2c-6041.dat	family_asyncrat

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Renames multiple (1499) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
4076
2572
1596
5388
3160
5460
2856
4624
3888
128
324
5424
4116
5096
2336	powershell.exe
5000	powershell.exe
5084

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

Processes:

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
6020	netsh.exe
5044	netsh.exe
4876	netsh.exe
1784	netsh.exe
2568	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

Processes:

powershell.execmd.exe

pid	Process
2192	powershell.exe
3508	cmd.exe

Drops startup file 4 IoCs

Processes:

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Terraria-Multiplayer-Fix-Online.lnk
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Terraria-Multiplayer-Fix-Online.lnk
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url

Executes dropped EXE 54 IoCs

Processes:

2.exemain.exemain.exeBluescreen.exegsprout.exeRuntime%20Broker.exezxcv.exeJigsaw.exedrpbx.exezxcv.exezxcv.exezxcv.exeXIDBUby6NA.exeqZGEO3ECgK.exePURLOG.exegame.exepeinf.exebuild11.exestub.exeshell.exe9402.tmp.exetwztl.exepp.exe156688868.exesysnldcvmr.exesysnldcvmr.exe214512583.exe534733401.exeControlledAccessPoint.exemos%20ssssttttt.exePCSupport.exe3013823666.exe719229664.exewinvnc.exewinupsecvmgr.exe2685219044.exe2228312724.exesvchost.exe

pid	Process
3400	2.exe
3144	main.exe
4196	main.exe
4544	Bluescreen.exe
4736	gsprout.exe
4220	Runtime%20Broker.exe
1192	zxcv.exe
1276	Jigsaw.exe
3040	drpbx.exe
2384	zxcv.exe
3152	zxcv.exe
4128	zxcv.exe
3356	XIDBUby6NA.exe
2304	qZGEO3ECgK.exe
3756	PURLOG.exe
2104	game.exe
4584	peinf.exe
4196	build11.exe
2284	stub.exe
5852	shell.exe
5440	9402.tmp.exe
4444	twztl.exe
5160	pp.exe
3364	156688868.exe
5780	sysnldcvmr.exe
5480	sysnldcvmr.exe
2116	214512583.exe
4676	534733401.exe
5732	ControlledAccessPoint.exe
4496	mos%20ssssttttt.exe
6004	PCSupport.exe
784	3013823666.exe
2180	719229664.exe
5208	winvnc.exe
5624	winupsecvmgr.exe
1764	2685219044.exe
1968	2228312724.exe
4232	svchost.exe
4760
3420
984
3516
2900
5036
5404
5516
1008
3068
2444
5336
3544
2136
1560
3204

Loads dropped DLL 37 IoCs

Processes:

2.exemain.exestub.exe

pid	Process
3400	2.exe
4196	main.exe
4196	main.exe
4196	main.exe
4196	main.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
2284	stub.exe
984

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x001900000002ab37-6194.dat	themida
behavioral1/memory/3068-6199-0x00007FF72CF20000-0x00007FF72DE3F000-memory.dmp	themida
behavioral1/memory/3068-6284-0x00007FF72CF20000-0x00007FF72DE3F000-memory.dmp	themida
behavioral1/memory/3068-6314-0x00007FF72CF20000-0x00007FF72DE3F000-memory.dmp	themida
behavioral1/memory/1560-6315-0x00007FF6D2CA0000-0x00007FF6D3BBF000-memory.dmp	themida
behavioral1/memory/1560-6369-0x00007FF6D2CA0000-0x00007FF6D3BBF000-memory.dmp	themida
behavioral1/memory/5612-9405-0x00007FF785160000-0x00007FF78607F000-memory.dmp	themida
behavioral1/memory/5612-9448-0x00007FF785160000-0x00007FF78607F000-memory.dmp	themida
behavioral1/memory/4264-9494-0x00007FF6D07F0000-0x00007FF6D170F000-memory.dmp	themida
behavioral1/memory/4264-9538-0x00007FF6D07F0000-0x00007FF6D170F000-memory.dmp	themida
behavioral1/memory/1944-9602-0x00007FF771320000-0x00007FF77223F000-memory.dmp	themida
behavioral1/memory/1944-9634-0x00007FF771320000-0x00007FF77223F000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/files/0x001a00000002aa3b-5959.dat	vmprotect
behavioral1/memory/4232-5964-0x00007FF651740000-0x00007FF651977000-memory.dmp	vmprotect
behavioral1/memory/4232-5967-0x00007FF651740000-0x00007FF651977000-memory.dmp	vmprotect

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

156688868.exeJigsaw.exereg.exetwztl.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysnldcvmr.exe"	156688868.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Terraria-Multiplayer-Fix-Online = "C:\\Users\\Admin\\AppData\\Local\\Terraria-Multiplayer-Fix-Online.exe"
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	Jigsaw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monster Update Service = "C:\\Users\\Admin\\AppData\\Local\\MonsterUpdateService\\Monster.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	twztl.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
3	raw.githubusercontent.com
14	raw.githubusercontent.com
28	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com

Network Service Discovery 1 TTPs 3 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

Processes:

cmd.exeARP.EXE

pid	Process
4576
388	cmd.exe
1488	ARP.EXE

Power Settings 1 TTPs 24 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

pid	Process
2660
1636
1992
5912
3856
3960
3152
3404
1900
4936
3136
1548
5804
3828
5412
6116
3092
5336
2444
5516
1540
5764
5164
436

Drops file in System32 directory 1 IoCs

Processes:

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid	Process
2900	tasklist.exe
3736	tasklist.exe
4304	tasklist.exe
3216
4508

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Processes:

cmd.exe

pid	Process
3660	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

pid	Process
3068
1560

Suspicious use of SetThreadContext 7 IoCs

Processes:

2.exezxcv.exePURLOG.exewinupsecvmgr.exeControlledAccessPoint.exe

description	pid	Process	procid_target
PID 3400 set thread context of 3912	3400	2.exe	80
PID 1192 set thread context of 4128	1192	zxcv.exe	94
PID 3756 set thread context of 4836	3756	PURLOG.exe	169
PID 5624 set thread context of 680	5624	winupsecvmgr.exe	1001
PID 5624 set thread context of 1016	5624	winupsecvmgr.exe	1003
PID 5732 set thread context of 2868	5732	ControlledAccessPoint.exe	1173
PID 984 set thread context of 2020	984		1148

Drops file in Program Files directory 64 IoCs

Processes:

drpbx.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\SplashScreen.scale-150_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-100_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsLargeTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-disabled_32.svg	drpbx.exe
File created	C:\Program Files\Microsoft Office\AppXManifest.xml.fun	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-100_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesAppList.targetsize-32_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare71x71Logo.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\vreg\dcf.x-none.msi.16.x-none.vreg.dat.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\StoreLogo.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-32_altform-lightunplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square150x150Logo.scale-200.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-30.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-140_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.1.2.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-20_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-30_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-400_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-32_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxAccountsSplashLogo.scale-180.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\WeatherSmallTile.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsWideTile.scale-200_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-16_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\placeholder.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-72_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Wide310x150Logo.scale-125_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-64.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Photo_SpringDandelion_Thumbnail_Dark.jpg	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircleHover.png	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	drpbx.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\SmallTile.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\SnippingTool\Assets\Wide310x150Logo.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsAppList.targetsize-16_contrast-white.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintMedTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubLargeTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\MapsMedTile.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\inifile.targetsize-20.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\LensSDK\Assets\EnsoUI\dashboard_slomo_ON.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch.scale-200.png	drpbx.exe

Drops file in Windows directory 10 IoCs

Processes:

156688868.exetwztl.exe

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	156688868.exe
File opened for modification	C:\Windows\SysOrleans
File opened for modification	C:\Windows\ConfiguringUps
File opened for modification	C:\Windows\ExplorerProprietary
File created	C:\Windows\sysnldcvmr.exe	twztl.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	twztl.exe
File opened for modification	C:\Windows\ChestAntique
File opened for modification	C:\Windows\EquationExplorer
File opened for modification	C:\Windows\TreeProfessor
File opened for modification	C:\Windows\HostelGalleries

Launches sc.exe 42 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid	Process
5156
1528
2472
5600
5556
5424
2836
1556
5976
2884
4988
5924
6128
5932
912
2328
5772
3012
4516
4452
4548	sc.exe
2464
3880
652
5672
5452
4152
1136
5512
1064
5828
5288
996
2344
5984
2220
5320
3836
3456
5788
2832
5232

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
behavioral1/files/0x001a00000002aab4-38.dat	pyinstaller

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource	yara_rule
behavioral1/files/0x001d00000002aad2-1605.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
5036	3912	WerFault.exe	80
4272	1192	WerFault.exe	89
2344	4736		87

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

gsprout.exepeinf.exewinvnc.exe4363463463464363463463463.exezxcv.exe9402.tmp.exe156688868.exesysnldcvmr.exe2228312724.exemain.exegame.exeshell.exepp.exe534733401.exe2685219044.exeInstallUtil.exezxcv.exemos%20ssssttttt.exePCSupport.exetimeout.exe2.exenetsh.exenetsh.exemain.exe719229664.exenetsh.execmd.exesysnldcvmr.exetwztl.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsprout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peinf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxcv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9402.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	156688868.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2228312724.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	534733401.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2685219044.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxcv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mos%20ssssttttt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCSupport.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	719229664.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twztl.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

pid	Process
1028
5636

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

cmd.exenetsh.exe

pid	Process
2120	cmd.exe
3364	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

Processes:

NETSTAT.EXE

pid	Process
2060	NETSTAT.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

InstallUtil.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallUtil.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

Processes:

WMIC.exe

pid	Process
4516	WMIC.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
3788	timeout.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid	Process
2176	ipconfig.exe
2060	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

Processes:

systeminfo.exe

pid	Process
1360	systeminfo.exe

Kills process with taskkill 2 IoCs

evasion

Processes:

taskkill.exe

pid	Process
2496
2840	taskkill.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs

Modifies registry class 1 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

pid	Process
5636

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
2468	schtasks.exe
5428
2392
3320
5824
2860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

main.exepowershell.exePURLOG.exepowershell.exe214512583.exePCSupport.exewinvnc.exe3013823666.exepowershell.exemos%20ssssttttt.exe

pid	Process
4196	main.exe
4196	main.exe
2192	powershell.exe
2192	powershell.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
3756	PURLOG.exe
4592	powershell.exe
4592	powershell.exe
4592	powershell.exe
4592	powershell.exe
2116	214512583.exe
6004	PCSupport.exe
6004	PCSupport.exe
5208	winvnc.exe
5208	winvnc.exe
5208	winvnc.exe
5208	winvnc.exe
784	3013823666.exe
784	3013823666.exe
2336	powershell.exe
2336	powershell.exe
784	3013823666.exe
784	3013823666.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe
4496	mos%20ssssttttt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mos%20ssssttttt.exe

pid	Process
4496	mos%20ssssttttt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4363463463464363463463463.exeRuntime%20Broker.exeXIDBUby6NA.exeqZGEO3ECgK.exePURLOG.exetasklist.exeWMIC.exetaskkill.exetasklist.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	3872	4363463463464363463463463.exe
Token: SeDebugPrivilege	4220	Runtime%20Broker.exe
Token: SeBackupPrivilege	3356	XIDBUby6NA.exe
Token: SeSecurityPrivilege	3356	XIDBUby6NA.exe
Token: SeSecurityPrivilege	3356	XIDBUby6NA.exe
Token: SeSecurityPrivilege	3356	XIDBUby6NA.exe
Token: SeSecurityPrivilege	3356	XIDBUby6NA.exe
Token: SeBackupPrivilege	2304	qZGEO3ECgK.exe
Token: SeSecurityPrivilege	2304	qZGEO3ECgK.exe
Token: SeSecurityPrivilege	2304	qZGEO3ECgK.exe
Token: SeSecurityPrivilege	2304	qZGEO3ECgK.exe
Token: SeSecurityPrivilege	2304	qZGEO3ECgK.exe
Token: SeDebugPrivilege	3756	PURLOG.exe
Token: SeDebugPrivilege	2900	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2256	WMIC.exe
Token: SeSecurityPrivilege	2256	WMIC.exe
Token: SeTakeOwnershipPrivilege	2256	WMIC.exe
Token: SeLoadDriverPrivilege	2256	WMIC.exe
Token: SeSystemProfilePrivilege	2256	WMIC.exe
Token: SeSystemtimePrivilege	2256	WMIC.exe
Token: SeProfSingleProcessPrivilege	2256	WMIC.exe
Token: SeIncBasePriorityPrivilege	2256	WMIC.exe
Token: SeCreatePagefilePrivilege	2256	WMIC.exe
Token: SeBackupPrivilege	2256	WMIC.exe
Token: SeRestorePrivilege	2256	WMIC.exe
Token: SeShutdownPrivilege	2256	WMIC.exe
Token: SeDebugPrivilege	2256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2256	WMIC.exe
Token: SeRemoteShutdownPrivilege	2256	WMIC.exe
Token: SeUndockPrivilege	2256	WMIC.exe
Token: SeManageVolumePrivilege	2256	WMIC.exe
Token: 33	2256	WMIC.exe
Token: 34	2256	WMIC.exe
Token: 35	2256	WMIC.exe
Token: 36	2256	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2256	WMIC.exe
Token: SeSecurityPrivilege	2256	WMIC.exe
Token: SeTakeOwnershipPrivilege	2256	WMIC.exe
Token: SeLoadDriverPrivilege	2256	WMIC.exe
Token: SeSystemProfilePrivilege	2256	WMIC.exe
Token: SeSystemtimePrivilege	2256	WMIC.exe
Token: SeProfSingleProcessPrivilege	2256	WMIC.exe
Token: SeIncBasePriorityPrivilege	2256	WMIC.exe
Token: SeCreatePagefilePrivilege	2256	WMIC.exe
Token: SeBackupPrivilege	2256	WMIC.exe
Token: SeRestorePrivilege	2256	WMIC.exe
Token: SeShutdownPrivilege	2256	WMIC.exe
Token: SeDebugPrivilege	2256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2256	WMIC.exe
Token: SeRemoteShutdownPrivilege	2256	WMIC.exe
Token: SeUndockPrivilege	2256	WMIC.exe
Token: SeManageVolumePrivilege	2256	WMIC.exe
Token: 33	2256	WMIC.exe
Token: 34	2256	WMIC.exe
Token: 35	2256	WMIC.exe
Token: 36	2256	WMIC.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	3736	tasklist.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeIncreaseQuotaPrivilege	4516	WMIC.exe
Token: SeSecurityPrivilege	4516	WMIC.exe
Token: SeTakeOwnershipPrivilege	4516	WMIC.exe
Token: SeLoadDriverPrivilege	4516	WMIC.exe
Token: SeSystemProfilePrivilege	4516	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

winvnc.exedwm.exe

pid	Process
5208	winvnc.exe
5208	winvnc.exe
5208	winvnc.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

winvnc.exedwm.exe

pid	Process
5208	winvnc.exe
5208	winvnc.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
5208	winvnc.exe
1016	dwm.exe
1016	dwm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid	Process
2900
3544

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exe2.exemain.exeJigsaw.exezxcv.exezxcv.exebuild11.exe

description	pid	Process	procid_target
PID 3872 wrote to memory of 3400	3872	4363463463464363463463463.exe	78
PID 3872 wrote to memory of 3400	3872	4363463463464363463463463.exe	78
PID 3872 wrote to memory of 3400	3872	4363463463464363463463463.exe	78
PID 3400 wrote to memory of 3912	3400	2.exe	80
PID 3400 wrote to memory of 3912	3400	2.exe	80
PID 3400 wrote to memory of 3912	3400	2.exe	80
PID 3400 wrote to memory of 3912	3400	2.exe	80
PID 3400 wrote to memory of 3912	3400	2.exe	80
PID 3400 wrote to memory of 3912	3400	2.exe	80
PID 3400 wrote to memory of 3912	3400	2.exe	80
PID 3400 wrote to memory of 3912	3400	2.exe	80
PID 3400 wrote to memory of 3912	3400	2.exe	80
PID 3872 wrote to memory of 3144	3872	4363463463464363463463463.exe	84
PID 3872 wrote to memory of 3144	3872	4363463463464363463463463.exe	84
PID 3872 wrote to memory of 3144	3872	4363463463464363463463463.exe	84
PID 3144 wrote to memory of 4196	3144	main.exe	85
PID 3144 wrote to memory of 4196	3144	main.exe	85
PID 3144 wrote to memory of 4196	3144	main.exe	85
PID 3872 wrote to memory of 4544	3872	4363463463464363463463463.exe	86
PID 3872 wrote to memory of 4544	3872	4363463463464363463463463.exe	86
PID 3872 wrote to memory of 4736	3872	4363463463464363463463463.exe	87
PID 3872 wrote to memory of 4736	3872	4363463463464363463463463.exe	87
PID 3872 wrote to memory of 4736	3872	4363463463464363463463463.exe	87
PID 3872 wrote to memory of 4220	3872	4363463463464363463463463.exe	88
PID 3872 wrote to memory of 4220	3872	4363463463464363463463463.exe	88
PID 3872 wrote to memory of 1192	3872	4363463463464363463463463.exe	89
PID 3872 wrote to memory of 1192	3872	4363463463464363463463463.exe	89
PID 3872 wrote to memory of 1192	3872	4363463463464363463463463.exe	89
PID 3872 wrote to memory of 1276	3872	4363463463464363463463463.exe	90
PID 3872 wrote to memory of 1276	3872	4363463463464363463463463.exe	90
PID 1276 wrote to memory of 3040	1276	Jigsaw.exe	91
PID 1276 wrote to memory of 3040	1276	Jigsaw.exe	91
PID 1192 wrote to memory of 2384	1192	zxcv.exe	92
PID 1192 wrote to memory of 2384	1192	zxcv.exe	92
PID 1192 wrote to memory of 2384	1192	zxcv.exe	92
PID 1192 wrote to memory of 3152	1192	zxcv.exe	93
PID 1192 wrote to memory of 3152	1192	zxcv.exe	93
PID 1192 wrote to memory of 3152	1192	zxcv.exe	93
PID 1192 wrote to memory of 4128	1192	zxcv.exe	94
PID 1192 wrote to memory of 4128	1192	zxcv.exe	94
PID 1192 wrote to memory of 4128	1192	zxcv.exe	94
PID 1192 wrote to memory of 4128	1192	zxcv.exe	94
PID 1192 wrote to memory of 4128	1192	zxcv.exe	94
PID 1192 wrote to memory of 4128	1192	zxcv.exe	94
PID 1192 wrote to memory of 4128	1192	zxcv.exe	94
PID 1192 wrote to memory of 4128	1192	zxcv.exe	94
PID 1192 wrote to memory of 4128	1192	zxcv.exe	94
PID 1192 wrote to memory of 4128	1192	zxcv.exe	94
PID 4128 wrote to memory of 3356	4128	zxcv.exe	97
PID 4128 wrote to memory of 3356	4128	zxcv.exe	97
PID 4128 wrote to memory of 2304	4128	zxcv.exe	98
PID 4128 wrote to memory of 2304	4128	zxcv.exe	98
PID 3872 wrote to memory of 3756	3872	4363463463464363463463463.exe	99
PID 3872 wrote to memory of 3756	3872	4363463463464363463463463.exe	99
PID 3872 wrote to memory of 2104	3872	4363463463464363463463463.exe	100
PID 3872 wrote to memory of 2104	3872	4363463463464363463463463.exe	100
PID 3872 wrote to memory of 2104	3872	4363463463464363463463463.exe	100
PID 3872 wrote to memory of 4584	3872	4363463463464363463463463.exe	101
PID 3872 wrote to memory of 4584	3872	4363463463464363463463463.exe	101
PID 3872 wrote to memory of 4584	3872	4363463463464363463463463.exe	101
PID 3872 wrote to memory of 4196	3872	4363463463464363463463463.exe	103
PID 3872 wrote to memory of 4196	3872	4363463463464363463463463.exe	103
PID 4196 wrote to memory of 2284	4196	build11.exe	105
PID 4196 wrote to memory of 2284	4196	build11.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
2868	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3284
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Users\Admin\AppData\Local\Temp\Files\2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
      4⤵
      PID:3912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 420
        5⤵
        Program crash
        
        PID:5036
- - C:\Users\Admin\AppData\Local\Temp\Files\main.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\main.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\Files\main.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\main.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4196
- - C:\Users\Admin\AppData\Local\Temp\Files\Bluescreen.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Bluescreen.exe"
    3⤵
    - Executes dropped EXE
    PID:4544
- - C:\Users\Admin\AppData\Local\Temp\Files\gsprout.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\gsprout.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4736
- - C:\Users\Admin\AppData\Local\Temp\Files\Runtime%20Broker.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Runtime%20Broker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4220
- - C:\Users\Admin\AppData\Local\Temp\Files\zxcv.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\zxcv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\Files\zxcv.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\zxcv.exe"
      4⤵
      Executes dropped EXE
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\Files\zxcv.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\zxcv.exe"
      4⤵
      Executes dropped EXE
      PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\Files\zxcv.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\zxcv.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4128
    - - C:\Users\Admin\AppData\Roaming\XIDBUby6NA.exe
        
        "C:\Users\Admin\AppData\Roaming\XIDBUby6NA.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
    - - C:\Users\Admin\AppData\Roaming\qZGEO3ECgK.exe
        
        "C:\Users\Admin\AppData\Roaming\qZGEO3ECgK.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 316
      4⤵
      Program crash
      PID:4272
- - C:\Users\Admin\AppData\Local\Temp\Files\Jigsaw.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Jigsaw.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\Files\Jigsaw.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3040
- - C:\Users\Admin\AppData\Local\Temp\Files\PURLOG.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\PURLOG.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\Files\PURLOG.exe' -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4592
- - C:\Users\Admin\AppData\Local\Temp\Files\game.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\game.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2104
- - C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4584
- - C:\Users\Admin\AppData\Local\Temp\Files\build11.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\build11.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Users\Admin\AppData\Local\Temp\onefile_4196_133771449921342826\stub.exe
      C:\Users\Admin\AppData\Local\Temp\Files\build11.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2284
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:3880
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:4504
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:3456
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        5⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:3660
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        6⤵
        Views/modifies file attributes
        
        PID:2868
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /query /TN "MonsterUpdateService""
        5⤵
        
        PID:700
      - C:\Windows\system32\schtasks.exe
        
        schtasks /query /TN "MonsterUpdateService"
        6⤵
        
        PID:1176
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "MonsterUpdateService" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        5⤵
        
        PID:3828
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "MonsterUpdateService" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2860
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "MonsterUpdateService2" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        5⤵
        
        PID:4900
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc hourly /mo 1 /rl highest /tn "MonsterUpdateService2" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2468
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Monster Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe" /f"
        5⤵
        
        PID:4480
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Monster Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:656
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        5⤵
        
        PID:4520
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        6⤵
        
        PID:2432
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        5⤵
        
        PID:1188
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:4816
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:3508
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:4128
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:3964
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:1280
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:3856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2120
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3364
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        Network Service Discovery
        
        PID:388
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:1360
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:5008
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:5104
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:1524
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:2100
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:3012
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:2832
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:3144
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:2932
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:1576
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:3160
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:4740
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:3408
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:4388
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:4180
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:4304
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:2176
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:2724
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        Network Service Discovery
        
        PID:1488
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:2060
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:4548
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4876
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1784
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:924
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:5152
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5532
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:5604
- - C:\Users\Admin\AppData\Local\Temp\Files\shell.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\shell.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5852
- - C:\Users\Admin\AppData\Local\Temp\Files\9402.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\9402.tmp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5440
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\76FB.tmp\76FC.tmp\76FD.bat C:\Users\Admin\AppData\Local\Temp\Files\9402.tmp.exe"
      4⤵
      PID:1960
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4504
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1548
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1416
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4136
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4264
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3172
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6120
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:700
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5048
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5396
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5220
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5132
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2136
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1284
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1364
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4620
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3352
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3564
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5740
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1016
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4924
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2464
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5200
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1564
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3128
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2572
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1524
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5472
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5548
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5920
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5796
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:388
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4496
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:848
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4392
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1228
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5656
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5768
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5416
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5232
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5436
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5524
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5552
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5592
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5784
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6004
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1568
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:884
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5600
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1164
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1060
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4480
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6140
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5952
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3788
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4672
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3976
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4400
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4576
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4992
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:536
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2444
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2256
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1976
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5280
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1440
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3552
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5124
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5500
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5760
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6020
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1188
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4788
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5044
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2188
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4624
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4952
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:436
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6124
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4232
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3624
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1424
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2004
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1908
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5148
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5292
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5468
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5792
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3220
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5100
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4452
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4876
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6120
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3196
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5380
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5320
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1556
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2652
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1132
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3900
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5084
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4904
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5640
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5556
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5348
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5464
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2296
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2984
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4764
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5184
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2568
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5636
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6032
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5688
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5980
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1920
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3808
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5708
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5840
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6036
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2336
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4428
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1636
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3920
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4128
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2784
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5256
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2824
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6104
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5140
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3012
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1564
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3304
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3176
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5512
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5232
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5608
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5592
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5784
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6004
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5052
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5700
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5716
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5848
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5832
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4564
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2380
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4740
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5376
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4952
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1424
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:756
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1832
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1132
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5424
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5360
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4656
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5916
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2360
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4324
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2100
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5012
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4108
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5588
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3880
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5488
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5912
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6104
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5948
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:324
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6052
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5024
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6084
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4520
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6012
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2292
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5096
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3484
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3012
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5332
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4984
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1496
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5748
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6064
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5576
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5472
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5528
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4828
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4496
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2432
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5720
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4388
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5656
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5212
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5836
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5460
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5232
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5064
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5728
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3860
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6004
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5052
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:784
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4980
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5104
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4408
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1164
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4480
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:856
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5412
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3788
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3596
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1648
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1480
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4304
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4564
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1008
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2444
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4380
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1368
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3060
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4524
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5696
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5124
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5500
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5964
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4844
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5760
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2132
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1736
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2676
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3400
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4512
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3684
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6080
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4232
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:716
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2660
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1828
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4344
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4000
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4136
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5468
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5792
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3172
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1764
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3016
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1488
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3196
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1892
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1152
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1556
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:696
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4904
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2652
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5084
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5288
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:244
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5400
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5208
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5616
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4456
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5620
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5396
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:412
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5408
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5152
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5452
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5680
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5300
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5168
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4116
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2136
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1284
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5812
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5020
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6100
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2360
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2584
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4324
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1636
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4668
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6076
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3920
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3452
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5156
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3564
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3352
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2784
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3500
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5236
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4108
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5256
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5588
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:864
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5872
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5724
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:180
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4676
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5908
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4680
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4076
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3828
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:680
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3972
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5088
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4880
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4112
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1428
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5844
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5736
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1312
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5172
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3128
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5804
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5764
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5444
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:200
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5704
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2484
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2024
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5528
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2164
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3776
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:644
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:460
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5720
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4388
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5656
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5212
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5836
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5460
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5552
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5232
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1144
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5728
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3448
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5060
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5496
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:884
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5820
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5848
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5832
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5780
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3756
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6016
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5336
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3332
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2200
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2856
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3368
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2380
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4992
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:536
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2588
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1976
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3068
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2256
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1368
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4524
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5696
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5124
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5500
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1468
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1188
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6020
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2692
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4272
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4624
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:436
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3208
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4952
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2884
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4196
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1912
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:716
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2660
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1828
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4344
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4000
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3220
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3468
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5988
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4292
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1764
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3016
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1488
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3196
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3744
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6120
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1300
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2488
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1132
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4180
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5432
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5008
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1772
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5816
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5464
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2296
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2984
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5644
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5348
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5520
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3640
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5688
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6032
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3808
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4324
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5568
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4668
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2176
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3416
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5128
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1360
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1280
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5004
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1936
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4912
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5420
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5284
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3388
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5240
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1504
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5800
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1784
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5944
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5488
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1968
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5516
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1320
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6116
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2840
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5936
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1016
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5088
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4880
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4112
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5096
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2608
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3012
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5332
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4984
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5732
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5880
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5428
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1524
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5560
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2712
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3304
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4832
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:388
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4496
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4392
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3176
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1228
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5768
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5248
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5384
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4768
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5524
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5648
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5608
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5592
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5612
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5728
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3448
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5060
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3720
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5496
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5820
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5848
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5832
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5780
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2056
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6140
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5952
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2836
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2224
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1480
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3160
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:416
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4304
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2444
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5572
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4684
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1804
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3552
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5596
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5652
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6068
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:764
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4612
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2284
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5760
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2132
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4504
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2676
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2832
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6124
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5204
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4952
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3624
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1912
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:716
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2660
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1828
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4344
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4000
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3220
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3468
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4292
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1764
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3016
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1488
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3196
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3744
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6120
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1300
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2488
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1132
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4180
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5432
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5008
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1772
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5816
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5464
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2296
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2984
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5644
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5048
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5356
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5636
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3132
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4948
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2348
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5308
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:640
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5980
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5020
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5000
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2980
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5840
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3812
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1636
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3616
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4668
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3452
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3416
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5128
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3800
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4508
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5004
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5328
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:276
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4108
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5316
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1992
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5240
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5824
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5872
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5724
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5992
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1968
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5516
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1320
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:680
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1236
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2776
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6084
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2828
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6012
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2508
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5096
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2608
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:456
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5428
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2500
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5668
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5536
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:848
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4828
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5720
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2228
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5248
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1432
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6112
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3364
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5820
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5848
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5832
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5780
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2056
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5412
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4468
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3976
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1648
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4576
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2380
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1176
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4304
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:412
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1536
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5864
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2444
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5572
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4684
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1804
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3552
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5596
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5652
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6068
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:764
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4612
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2284
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5760
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2132
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4504
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3544
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6060
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2832
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4512
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5924
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2004
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2104
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2816
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1548
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5268
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5388
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5628
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5136
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3220
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5100
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3468
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4292
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1764
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3188
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3516
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5320
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1152
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:696
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3572
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5192
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3900
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5288
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:244
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5372
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5464
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3884
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4136
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5152
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5452
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5132
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5688
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6032
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2344
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4652
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:908
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1284
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2584
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6132
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1364
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5128
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5368
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:276
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5284
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6088
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5928
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5912
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6104
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6040
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2696
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5936
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5024
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5088
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2060
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5176
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1428
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4228
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5096
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1312
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4984
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5804
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5332
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5428
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:200
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2484
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2024
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5528
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5160
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1816
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4828
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3776
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2228
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5296
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1144
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5460
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5064
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3860
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1496
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5052
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2612
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:884
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5852
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5820
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5848
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5832
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5780
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1068
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5908
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5412
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4400
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5600
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1648
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4576
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2380
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1176
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5168
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2588
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3060
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3740
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1580
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4524
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5744
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5500
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:764
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4624
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5204
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5080
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4196
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1912
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1548
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5268
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5388
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5628
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5136
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3220
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5100
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3468
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4292
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1892
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3888
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2084
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1152
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:696
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3572
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5192
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3900
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5288
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:244
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1772
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2296
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5184
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5644
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5048
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5356
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5636
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3132
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6036
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2348
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5304
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5308
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5980
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5020
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1084
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1560
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3452
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3352
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2100
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4656
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2336
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1504
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6104
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2932
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1312
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5196
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3236
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4560
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4576
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2136
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4304
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2256
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4684
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1580
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5564
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1156
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5864
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1712
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:764
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2832
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4196
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3216
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1452
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1548
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4344
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:756
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:984
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4296
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1116
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5320
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2084
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2020
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4180
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5432
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5588
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5400
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5660
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4456
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5620
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2984
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5048
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5356
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5636
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3132
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6036
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3808
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5708
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6100
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4116
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3052
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5036
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4428
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1560
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1128
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3452
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3352
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3500
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5236
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2332
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1364
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2980
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2100
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4656
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2336
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1504
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5856
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6104
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4816
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5824
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3828
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1968
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5088
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6012
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5176
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:240
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:572
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5472
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5748
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:552
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4392
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5768
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5512
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5296
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5608
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5540
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4796
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1144
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:856
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:200
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2500
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5060
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:892
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1524
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5216
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4984
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:5948
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3160
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2836
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4576
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2000
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:6000
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2716
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1832
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3060
- - C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4444
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5780
- - C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5160
  - - C:\Users\Admin\AppData\Local\Temp\156688868.exe
      C:\Users\Admin\AppData\Local\Temp\156688868.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3364
    - - C:\Users\Admin\sysnldcvmr.exe
        
        C:\Users\Admin\sysnldcvmr.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5480
      - C:\Users\Admin\AppData\Local\Temp\214512583.exe
        
        C:\Users\Admin\AppData\Local\Temp\214512583.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:5168
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:4428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:2136
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:1084
      - C:\Users\Admin\AppData\Local\Temp\534733401.exe
        
        C:\Users\Admin\AppData\Local\Temp\534733401.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\3013823666.exe
        
        C:\Users\Admin\AppData\Local\Temp\3013823666.exe
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:784
      - C:\Users\Admin\AppData\Local\Temp\719229664.exe
        
        C:\Users\Admin\AppData\Local\Temp\719229664.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2180
      - C:\Users\Admin\AppData\Local\Temp\2685219044.exe
        
        C:\Users\Admin\AppData\Local\Temp\2685219044.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\2228312724.exe
        
        C:\Users\Admin\AppData\Local\Temp\2228312724.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1968
- - C:\Users\Admin\AppData\Local\Temp\Files\ControlledAccessPoint.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ControlledAccessPoint.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5732
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:5216
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:4240
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:4984
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:2868
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" & rd /s /q "C:\ProgramData\EBAKKFHJDBKK" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5832
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3788
- - C:\Users\Admin\AppData\Local\Temp\Files\mos%20ssssttttt.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\mos%20ssssttttt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:4496
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\mos%20ssssttttt.exe" "mos%20ssssttttt.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2568
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5680
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\mos%20ssssttttt.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:6020
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5760
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\mos%20ssssttttt.exe" "mos%20ssssttttt.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:5044
- - C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:6004
  - - C:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe
      C:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5208
- - C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:4232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:5020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:3172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:4444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:4620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:4836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2336
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2360
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:864
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5000
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:680
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3912 -ip 3912
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1192 -ip 1192
1⤵
PID:4524

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun

Filesize
32KB

MD5
829165ca0fd145de3c2c8051b321734f

SHA1
f5cc3af85ab27c3ea2c2f7cbb8295b28a76a459e

SHA256
a193ee2673e0ba5ebc5ea6e65665b8a28bd7611f06d2b0174ec2076e22d94356

SHA512
7d380cda12b342a770def9d4e9c078c97874f3a30cd9f531355e3744a8fef2308f79878ffeb12ce26953325cb6a17bc7e54237dfdc2ee72b140ec295676adbcb

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.fun

Filesize
160B

MD5
580ee0344b7da2786da6a433a1e84893

SHA1
60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e

SHA256
98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513

SHA512
356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
41KB

MD5
f4b268da0a02e5ab500af7af57c12888

SHA1
074c556502535c63df629f1779c0ca59d603c029

SHA256
86b52ae9fcf0e8dd7943dbab5ae9ad88b11f15401c499b1cb3338e75e0dce900

SHA512
8364b5eaeafa7d8f3e78411dbbada9c1a334526edcbf090aa562bbda89ff78d44f81a529a1a0d74daf174139dfef8cad939ec27affb8eaa89a9c27f152d749f7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.fun

Filesize
8KB

MD5
f22599af9343cac74a6c5412104d748c

SHA1
e2ac4c57fa38f9d99f3d38c2f6582b4334331df5

SHA256
36537e56d60910ab6aa548e64ca4adafdcabde9d60739013993e12ba061dfd65

SHA512
5c8afc025e1d8342d93b7842dc7ef22eca61085857a80a08ba9b3f156ee3b814606bb32bc244bd525a7913e7915bdf3a86771d39577f4a1176ade04dc381c6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1728303385.txt.fun

Filesize
16B

MD5
8ebcc5ca5ac09a09376801ecdd6f3792

SHA1
81187142b138e0245d5d0bc511f7c46c30df3e14

SHA256
619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880

SHA512
cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\._cache_aspnet_regiis.exe

Filesize
297KB

MD5
0279038d1b86b5a268bd51b24a777d15

SHA1
4218e271f2c240b2823f218cf1e5a8f377ea5387

SHA256
666a9667e2a6d8cda89e324f4a63fad303a2719dd27d09a133d41dac44c79b9e

SHA512
bcaace0691de38672f365f20f34b1754d04afa4b346c45cf2a55c7a26651a337a1fdcdcb4706be441ae9e9cb8c69786d4b9117a944273982723a98fbb3fdd178

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\2.exe

Filesize
673KB

MD5
b859d1252109669c1a82b235aaf40932

SHA1
b16ea90025a7d0fad9196aa09d1091244af37474

SHA256
083d9bc8566b22e67b553f9e0b2f3bf6fe292220665dcc2fc10942cdc192125c

SHA512
9c0006055afd089ef2acbb253628494dd8c29bab9d5333816be8404f875c85ac342df82ae339173f853d3ebdb2261e59841352f78f6b4bd3bff3d0d606f30655

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\3544436.exe

Filesize
1.3MB

MD5
1de4c3cc42232c1e3d7c09404f57b450

SHA1
28adaa72fe927ade1b3e073de288e1b6f294d346

SHA256
131e2baac32f898ab2d7da10d8c79f546977bc1d1d585ba687387101610ed3b9

SHA512
580aae865d815236e1030b173b67dc7002c70cb82caf00953999174833ce22512a4276cae4357b81e0c44e83dbf22eee9713c1138db0887e6f83d72495255671

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\9402.tmp.exe

Filesize
236KB

MD5
f1831e8f18625bb453d1bd5db5bd100d

SHA1
61d4770b0ea0ee3abb337a53ebce68a891ff01fd

SHA256
88f73b620d5c9e8cd51976e464208ac6cb4a13d19083187ad273ec6b5f33e6d1

SHA512
a2cce1122756098ad6bb11c3398bc9f04f63a83a92a7b619ba629b03ec314acc29197be22f7a5b5c8f003e58a563b065564530649c68b2cbeeecfe95db6564de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\BaddStore.exe

Filesize
983KB

MD5
26d737343527707f7e4fbad11ef723ad

SHA1
177c6e44f09beb131d9d8d5a92f07e6099b0ba20

SHA256
079cf111fe3c63bd27b7bb93c589c250e519bea006aea9e0a5be2a9e4503d45e

SHA512
86176b637ced30198fe944235d378d509fbefb6b0789cdd0a4497b02552ef1d659df235de5dde776c9de0f98f892206a290b26855bafed373b1d085ce9afa6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Bluescreen.exe

Filesize
422KB

MD5
e021ad0649b6e06642965239a0f1dffb

SHA1
94da03a329d00a4efebff2cfb18471076326b207

SHA256
a872ab63fd3e70627d7bf28a74045a5fca407d79a950ac1fdbcecd6b7672469f

SHA512
e549f1371f5755b684a4a5369492400f61920edfd4b9e0187784b4533219ae77fa48248ad90c54b2f1d63da80821ad620455ed7fa7ac7f2850d5b574d8a5aa43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ControlledAccessPoint.exe

Filesize
594KB

MD5
f275736a38a6b90825076e8d786ad5c5

SHA1
c0d862ceab728736580f043316cdc099b2ab8924

SHA256
b48eeab60494eb44d8d5ef10a87fd46ad1aa33fdcf7245efb636f69f2fd55f42

SHA512
b6662ee0426b45c5629808718613a687808deeaca692bb00d26ac5c9098b8a36a126ef80eca470db085aa5a84e38a9ee088a165cea821bf1226055a4fd842711

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Edge.exe

Filesize
1.9MB

MD5
e30340895091ee6f449576966e8448fb

SHA1
4ccb079e7eedbf7113a803c6859241bb56978b4f

SHA256
126d9d9886f57e39642744a8bf62681577fbee52b88fba4c4c5097b04501eade

SHA512
c9116fc043e188b50294ebf8f3b661c55d73735773f61d90ae6d2f1ad06f84aabeb80953a7cddce7e7f75cefd979f16d684c81dd853bd0673536252882a6e0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Identification.exe

Filesize
8.0MB

MD5
2ecb08bc874649148c0b23e832f522f7

SHA1
bbb35ca8eb64b1d1ae9488b5b8ad5aa366f5d324

SHA256
17f256015c257cd0b73d14d0d908ccbc317b7e1d8f5ceab2f855c277d7f97e6d

SHA512
740e33323e5ef43114e15360122c2f7a1e6d8f8d10bbd90869e93977464f716b0a44d5e1397d1fc5d175afa88bc3107d6c7bff19f5597ac5562dbb8fafbb3df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Jigsaw.exe

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe

Filesize
533KB

MD5
eeabe641c001ce15e10f3ee3717b475a

SHA1
10fdda016fc47390017089367882281c6d38769f

SHA256
bb5ef9f70483ed7c79e37eca9dd136a514a346943edfe2803e27d1f6b262f05a

SHA512
1b0b9a398cf5a5e7c5ab0035796d07db720a8babcaf93fc92d1119ada5785c9de4d5df6a0ed10a29198cb4cd7c57da50ef4dc4c4fba5c77f72bf9fdcb73ac55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PURLOG.exe

Filesize
1.8MB

MD5
457c9342db5fc82febdcf8a348123a0e

SHA1
e887c2a3159d59528550c775f9779c960e561f0d

SHA256
c4343749a452155318b249b122c8482e953994e31627cbc82a3c3e52c21ef902

SHA512
128c63e21e9998db3bc39411a5a0a83bca49fe2c86e45fd17a99d8d2f2cd84b926599b2472d7533931e021bbf3d44d0581e0b091870eb2c0dd895098bd229b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Petya.A.exe

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Runtime%20Broker.exe

Filesize
3.1MB

MD5
9f21c5defc330f0dea3213ad5b052cf0

SHA1
a7ea175406dab963010b68862cb57e861c8c78cd

SHA256
196d1453bd12ee6fcc39a27be01a89c308f3224b61569f5de8d4770d4a1379f0

SHA512
683b79e18349daa9df4694a40d9f8caaebec9ee2deaaf4ff2554b300b8fba8b6b92619f426c970a5a0cf17f541e73a45d5d093d85c234f15da3d14b6ae296eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\S%D0%B5tup.exe

Filesize
6.4MB

MD5
58002255ca7651f46ffd07793008bad2

SHA1
bb9248a25b0ba2e969d9ad45715afd959a53915f

SHA256
6c77c2a923fae249f3f2c0d4c2f5153896a09076ffd9699b3a067b7f7d1da0fe

SHA512
875ef86bfbf239ac47d3167ff83a9519b0dd1103eb12c1e08d879acd7ba89afdb3df9ec60d9b0060921664e530c870e48da24b8e2b27bce16dc2a13b0e87726b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SemiconductorNot.exe

Filesize
1.1MB

MD5
7adfc6a2e7a5daa59d291b6e434a59f3

SHA1
e21ef8be7b78912bed36121404270e5597a3fe25

SHA256
fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693

SHA512
30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\World%20of%20Tanks.exe

Filesize
72KB

MD5
b3520940042d52305df325050a95d98a

SHA1
41c423785a528937a3761004327e862743071529

SHA256
1d728a4c330add4b8a4196e1d698fd4c857a004ed5b51e5b97c6ddd5eb671490

SHA512
1e5e9bbe3244db95bfbda1a770c813a73e84bcc869c1b34627fb0b971094d0421b134f92160681759288bbb9387441242924811ba463c8abb2fc6647d424eb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
69KB

MD5
d7e7388184d510f7fd4acc4cae6dc66e

SHA1
b6e6818288c1147aa34fed53cc0f4252c0d5d8b4

SHA256
f265d5394e8484ac12325631b752721a140091546c0aead0d6139e8ca4376cf3

SHA512
cf6e7f7b707bec6e951cdfef846b66a56579f4610a2889746fe6ba8b4166055f202f5d4eeaa56fa8a3e5e5c86f9996b25292d22feebc24584f0ba405e24d4990

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build11.exe

Filesize
10.7MB

MD5
2cb47309bb7dde63256835d5c872b2f9

SHA1
8baa9effc09cf80b4a1bac1aa2aa92b38c812f1d

SHA256
18687a2ceebf3eda4a11a2ef0b1d85360d8837ad05c1b57f9f749ea06578848e

SHA512
3db4a42cbf6bc26d77320bf747e7244e54320b5e6ebf6a65bfd731beb7e99958bc5b7e9fe3ab1579becd42c588789c2185be74f143d120041b0331b316017104

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cclent.exe

Filesize
3.1MB

MD5
94222631ef1071a4f7ceb180cf8a4a5a

SHA1
786d8b2d8b931a9282ee54367d2dda501f1ca946

SHA256
a45b373b780f5b9fcf5c51473c69bbf0ed650f300523097602b35f5222bd122b

SHA512
00503983a35e8d0f65eea6a811d7177a389cb1b4d8716d32e50fd5346deb428cd472cbaca7375c56ac3f113ea76db55322993b4d68d816b50a4b27887a2fa14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe

Filesize
8.1MB

MD5
1248d4a486d79f6828c60b8385a1c2c6

SHA1
62c5e5305a75c60c8295aed427d5cc284ee97f1b

SHA256
addaf820ebd6d96728a5fb379579ee1536fb0993f6041d9ceef6e9e439c612a4

SHA512
16bd84d597f601d6ab81204e8431a270dac9ed6331d95dc1944ba0a814b139d68431dabb3249d5e789218bce3c8a3379855f1a142686de109d23bcbb64e6adb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe

Filesize
65KB

MD5
7f20b668a7680f502780742c8dc28e83

SHA1
8e49ea3b6586893ecd62e824819da9891cda1e1b

SHA256
9334ce1ad264ddf49a2fe9d1a52d5dd1f16705bf076e2e589a6f85b6cd848bb2

SHA512
80a8b05f05523b1b69b6276eb105d3741ae94c844a481dce6bb66ee3256900fc25f466aa6bf55fe0242eb63613e8bd62848ba49cd362dbdd8ae0e165e9d5f01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\game.exe

Filesize
3.6MB

MD5
49a4df6234a85f29ff15b8d58dcb995b

SHA1
f85b7f5e5f4075a528a76c69052a3a772799c718

SHA256
4b77e49987843ca290926630aa7e1bc0e29b84b094a44495898e490367af658e

SHA512
7a8ca5cae878bda825ba73478ec36844508e503c282ca9bdc3cc2013780f5cdb500a14f60d885b684a15ad2657c493da2d089db3d20e1a64e09ea4c376f719c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gsprout.exe

Filesize
278KB

MD5
92ae7a1286d992e104c0072f639941f7

SHA1
d2c0fe4e7e9df1b4a9a4cd69e3167003e51c73b2

SHA256
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3

SHA512
bed93d1e09f576c52b231046cbf9a4ef81ebb2f68eaa6fc7b0eea889418e5f3af440fef5da55882b5535f26d994fdd34c288ba62e7fb033f5bd372cf752bb62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\khtoawdltrha.exe

Filesize
1.2MB

MD5
21eb0b29554b832d677cea9e8a59b999

SHA1
e6775ef09acc67f90e07205788a4165cbf8496ca

SHA256
9aaa862061c903f3f5a1d509f0016a599b9152d02ea0365dfd3bbd9c5c147656

SHA512
e7434e0d46e37e4a76bd8e394063a3ac531892b972347b3de8aa71689ded1ce4968b1a1defda720af4cfa66037390cbe771105e7bf892ef640cbee12e862e742

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\main.exe

Filesize
5.4MB

MD5
935ddf8c175da8cb95fff0870e0718fc

SHA1
8c026153157f0b84e29080326bbbd1ea6d1ddcb6

SHA256
19ea2bfba48a832b1342fdb60e1d5686d47f3b788d3de162f6ff087a71ed96e4

SHA512
bc77c2ede8a5c4f8fb8b23cc5b9299cbb0af12ee4dbd4d1519c1fbc9835b89d38acbfe0e987ea73c7944823e69e91fae5cd2e3a3d4b1ea0fc96e8ff0390fc0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\mos%20ssssttttt.exe

Filesize
93KB

MD5
8be7cd574b5424c43a6d0ccc4a989412

SHA1
946d22547849765d756071f63be3417b30f39c6f

SHA256
87a40d2e8ebe033ff3d359309dda136f1bced5c5578c8ea7d05b9d97e5adb12f

SHA512
8aff9965a7c8ccb357b3e026c2b65eb0457d4967ddbbb269f781ce62c9c77667b3a7ed4e8794bdaff6a7adfd46757cf1579bf740ec5a0d2747efa824bcf18eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe

Filesize
20KB

MD5
2473392c0a773aad20da1519aa6f464b

SHA1
2068ffd843bb8c7c7749193f6d1c5f0a9b97b280

SHA256
3d33e8778ea8194d486d42784411e8528c602594abdf3e32cdcee521a10f3ce7

SHA512
5455866f5fc53ae48ff24222b40a264bf673102435abeac2a61ba6fcaa1de429d8f078d4d065cb5d77b96de87f343579651b718e0a60934fb9fa35818d948074

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pp.exe

Filesize
10KB

MD5
08dafe3bb2654c06ead4bb33fb793df8

SHA1
d1d93023f1085eed136c6d225d998abf2d5a5bf0

SHA256
fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700

SHA512
9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\shell.exe

Filesize
72KB

MD5
390c469e624b980db3c1adff70edb6dd

SHA1
dc4e0bf153666b5ca2173f480a3b62c8b822aa85

SHA256
3bb815b5af569dbad7f8f4cccc8e82000ba9b3baedf92e510253af13d60a084a

SHA512
e9c8be87d6692480e4c9ca0717ffda8c3023846722c54a74384f80ecae91a8d16be460c78a58419c9fb6e4507faf5ffa66af6f5e57a15ef35e3244c431f2c1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\si.exe

Filesize
7KB

MD5
52fc73bf68ba53d9a2e6dc1e38fdd155

SHA1
35aeb2f281a01bbc32a675bfa377f39d63a9256a

SHA256
651c40eac524ff5749cfd5d80705d6e2b3d52831e4539b7d2642267b913d0701

SHA512
58eeaa3f8cd094a5edbdda1815a212e5321edf0eca7d00556636c3b54fbe8975e030279430d4da037e1fc5074796bc19532326888072f280c89b600f937445b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
1.1MB

MD5
8911e8d889f59b52df80729faac2c99c

SHA1
31b87d601a3c5c518d82abb8324a53fe8fe89ea1

SHA256
8d0c2f35092d606d015bd250b534b670857b0dba8004a4e7588482dd257c9342

SHA512
029fd7b8b8b03a174cdc1c52d12e4cf925161d6201bbe14888147a396cd0ba463fd586d49daf90ec00e88d75d290abfeb0bb7482816b8a746e9c5ce58e464bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\wow.exe

Filesize
106KB

MD5
a09ccb37bd0798093033ba9a132f640f

SHA1
eac5450bac4b3693f08883e93e9e219cd4f5a418

SHA256
ff9b527546f548e0dd9ce48a6afacaba67db2add13acd6d2d70c23a8a83d2208

SHA512
aab749fedf63213be8ceef44024618017a9da5bb7d2ba14f7f8d211901bbb87336bd32a28060022f2376fb6028ac4ceb6732324c499459a2663ee644e15fde06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xxxx.exe

Filesize
122KB

MD5
31fa485283c090077fb15a0831fd89f7

SHA1
5be3539600b869f25da4295c7cc350a4ade483d6

SHA256
32268f4d7203997102b3e92c592dc498e407f0d8786a1107d633d9495fc9f2b0

SHA512
305d538bbe84191779ce6315bff8193ce0b202c5ed664127713c207549297485ee416aee984d39eae436d5482310581bb8db584ce6f84145fc6f32e7098b6f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\zxcv.exe

Filesize
1.1MB

MD5
a5cf5de46ec3f0a677e94188b19e7862

SHA1
d07e3fd100c423662dbb3ed85713ff7b87c52e60

SHA256
450ac7367b33ac0d26ee08c5371ba668d9d3331a8c119520eb5ca4a46f91973c

SHA512
1d2d91625f971f71670a36340092ab9ac0a35a4ac791a46ee8b055894cdf3b7fc7030e4d27f973d738b85295c31a4bfbe5c033b07a5f7ebf10508d75043c1ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.5MB

MD5
81ad4f91bb10900e3e2e8eaf917f42c9

SHA1
840f7aef02cda6672f0e3fc7a8d57f213ddd1dc6

SHA256
5f20d6cec04685075781996a9f54a78dc44ab8e39eb5a2bcf3234e36bef4b190

SHA512
11cd299d6812cdf6f0a74ba86eb44e9904ce4106167ebd6e0b81f60a5fcd04236cef5cff81e51ed391f5156430663056393dc07353c4a70a88024194768ffe9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_hashlib.pyd

Filesize
1.1MB

MD5
55a29ec9721c509a5b20d1a037726cfa

SHA1
eaba230581d7b46f316d6603ea15c1e3c9740d04

SHA256
dbdcf9e8cba52043b5246ad0d234da8ba4d6534b326bbbb28a6a391edf6fa4ce

SHA512
e1a2993d4dd5f2e81f299fe158ee6d1f8ef95983113c9bea9a087e42205ff06ac563762de5a0b70b535efe8cf9f980ffc14c1318aaf58de3644277e3602e0ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_socket.pyd

Filesize
45KB

MD5
3986998b3753483f8b28c721fef6f8e4

SHA1
2ef3c0fac94c85276721ee2980f49b1bafef597d

SHA256
cbc23d6c2e3e2950452c7d255da1452338301a4c9a0b09eba83287709d2a5000

SHA512
258e2805440b36e20702c1447597698ef18a5a7f890cfece55bd4f797073c87e7bde659db3e2474e9b998213d76e2c3d5221659c6827237e06b3b6f4b3643ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_ssl.pyd

Filesize
1.4MB

MD5
9be53b53c1ec6b56663f45464edfcde9

SHA1
f8f5dd5640d594a2b53f5bbd12893c11cf4b7d55

SHA256
b572bf14ca3d3e5158b89314b6fe2129a753edaca1958e252784561f33f9ecda

SHA512
a52727b54a03246b74460a2741324b371ccaa083a4f3123fd1175a3061d3b6707ddbaaa73b3e39435cffd8d3018ee2dee8bad6c58a17faa55b6d05a3b38ee78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\data.exe.manifest

Filesize
1KB

MD5
585bdfe3fa40f4667674269e31cb3cdb

SHA1
646df297c69aee3e57293521346118edebe248e2

SHA256
dec743e7fe1078b06b91d60b03609de800d81756c61004b8f2f0234d15757903

SHA512
a21f6e7e24bd736279a2a49ccedbd94d2bd366673a5d9f0966ce5a2a5a1a1e2a6bbe68f39a525a8b3083aac82d1b0a145fed52fbfa1a3505f1a17ca432f6f20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\python27.dll

Filesize
2.5MB

MD5
9e9e57b47f4f840dddc938db54841d86

SHA1
1ed0be9c0dadcf602136c81097da6fda9e07dbbc

SHA256
608feafc63a0d1b38772e275c9e6d3b8a5b03efc0a27eb397107db0a6d079c50

SHA512
1a0dab38ebf4d995bcda3bdf0453c85d524cc1fff1c1b92160794d7c2f98f53088ba15c4b00b35d06e0be82a4bfa6d92cd4f09dec4ec98d615a82d5ffd5cb6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vy33ghea.dwk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4196_133771449921342826\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4196_133771449921342826\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4196_133771449921342826\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4196_133771449921342826\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4196_133771449921342826\python3.dll

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4196_133771449921342826\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4196_133771449921342826\stub.exe

Filesize
16.2MB

MD5
9cb4cf7e6b271413430c9b3eea8aafa2

SHA1
5d789fc3756e2f5e113aeba0f9f3053e88db59b3

SHA256
0728e88b0c32282e2750d77d172c2454a0fa53bf6a093c7885c93641cf5e794f

SHA512
f34db1ba8e1083570318c05370cc24af61dd507532c1c867cd90cc6b5c7fbae2dfde9b4dc13edc1e5587efe74ebfdccfa2c0e095f2ae0477c49cdecc5e6d034b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4196_133771449921342826\vcruntime140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Roaming\XIDBUby6NA.exe

Filesize
331KB

MD5
fd381b2627904d8365229d1ddd7e221f

SHA1
d7bcbabb6cd84875cc76f8170833ac679cd7d915

SHA256
ed5ac0c0d07595eb99ccc7346faab8504eb03000da1012abc1009c0cfbd4d4b9

SHA512
2b1e15b539d55b92f31c61cff954dafa61a44f7ccf75d113ab57ad54e9a8cbde304a285d0583663a206f648fd4f3b63257dbedf3df608d0391353ffb4aa78daf

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
534KB

MD5
a6da8d868dbd5c9fe6b505db0ee7eb71

SHA1
3dad32b3b3230ad6f44b82d1eb1749c67800c6f8

SHA256
4ad69afb341c6d8021db1d9b0b7e56d14b020a0d70739e31f0b65861f3c4eb2c

SHA512
132f54ac3116fd644c57840c893dae2128f571a784ceaa6dd78bafa3e05fc8f2a9d2458f1e1cf321b6cecc2423d3c57ff6d3c4b6b60f92a41b665105a3262dd0

Download Submit
C:\Users\Admin\AppData\Roaming\qZGEO3ECgK.exe

Filesize
340KB

MD5
131d164783db3608e4b2e97428e17028

SHA1
c00064a0f4952f5a37093cd7631f5921f9c00387

SHA256
05053f2a6db0f5352295ce4ca7146618ddb175f1ff4cdcd93a055a039c098e5f

SHA512
020b22527d0e555509897ce2df876bf2a30e3fc976cd86e52335104cf0f9db152caa8b46650a8bd0022b3cbaf3d20e0201322e3617e00eb0f25c6fcba245c505

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Windows \System32\ComputerDefaults.exe

Filesize
68KB

MD5
640693107ee411d8e862ab115d7b4639

SHA1
497435f5727c5bfe31331ba245e9b7b95dc69d2a

SHA256
a2794be7cb7a4ad2f526fe91ca95a36b2ec1648b288088eaa4809402c7b2c6f4

SHA512
3a554fe1d8d23f06ac86bb078b3e5b4815722adbacbf9492b5b7ad27bf27d44dd948387268dedc2943afc3557ef234e8882475c813cc5f5f4ab566e52bbb03db

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\Temp\uemifpedmtrl.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
memory/640-9789-0x000000001C730000-0x000000001C780000-memory.dmp

Filesize
320KB

Download
memory/640-9790-0x000000001C840000-0x000000001C8F2000-memory.dmp

Filesize
712KB

Download
memory/984-6022-0x0000000000650000-0x000000000074C000-memory.dmp

Filesize
1008KB

Download
memory/1276-140-0x00000000014A0000-0x00000000014D8000-memory.dmp

Filesize
224KB

Download
memory/1276-141-0x000000001BEC0000-0x000000001C38E000-memory.dmp

Filesize
4.8MB

Download
memory/1276-142-0x000000001C390000-0x000000001C42C000-memory.dmp

Filesize
624KB

Download
memory/1364-9287-0x0000000004FC0000-0x000000000505E000-memory.dmp

Filesize
632KB

Download
memory/1364-6419-0x0000000004E20000-0x0000000004F2E000-memory.dmp

Filesize
1.1MB

Download
memory/1364-6418-0x0000000000700000-0x00000000007DA000-memory.dmp

Filesize
872KB

Download
memory/1384-9787-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1560-6369-0x00007FF6D2CA0000-0x00007FF6D3BBF000-memory.dmp

Filesize
15.1MB

Download
memory/1560-6315-0x00007FF6D2CA0000-0x00007FF6D3BBF000-memory.dmp

Filesize
15.1MB

Download
memory/1596-6339-0x0000026FCCD80000-0x0000026FCCD9C000-memory.dmp

Filesize
112KB

Download
memory/1596-6344-0x0000026FCCDB0000-0x0000026FCCDBA000-memory.dmp

Filesize
40KB

Download
memory/1596-6343-0x0000026FCCDA0000-0x0000026FCCDA6000-memory.dmp

Filesize
24KB

Download
memory/1596-6337-0x0000026FCCBA0000-0x0000026FCCC53000-memory.dmp

Filesize
716KB

Download
memory/1596-6336-0x0000026FCCB80000-0x0000026FCCB9C000-memory.dmp

Filesize
112KB

Download
memory/1596-6342-0x0000026FCCC70000-0x0000026FCCC78000-memory.dmp

Filesize
32KB

Download
memory/1596-6341-0x0000026FCCDC0000-0x0000026FCCDDA000-memory.dmp

Filesize
104KB

Download
memory/1596-6340-0x0000026FCCC60000-0x0000026FCCC6A000-memory.dmp

Filesize
40KB

Download
memory/1596-6338-0x0000026FCC970000-0x0000026FCC97A000-memory.dmp

Filesize
40KB

Download
memory/1944-9634-0x00007FF771320000-0x00007FF77223F000-memory.dmp

Filesize
15.1MB

Download
memory/1944-9602-0x00007FF771320000-0x00007FF77223F000-memory.dmp

Filesize
15.1MB

Download
memory/2104-1289-0x0000000000400000-0x00000000013FB000-memory.dmp

Filesize
16.0MB

Download
memory/2116-5848-0x0000000000FB0000-0x0000000000FB6000-memory.dmp

Filesize
24KB

Download
memory/2192-1664-0x000001E1B08B0000-0x000001E1B08D2000-memory.dmp

Filesize
136KB

Download
memory/2304-186-0x0000000000260000-0x00000000002BA000-memory.dmp

Filesize
360KB

Download
memory/2304-891-0x000000001D620000-0x000000001D65C000-memory.dmp

Filesize
240KB

Download
memory/2604-9726-0x0000000000640000-0x0000000000964000-memory.dmp

Filesize
3.1MB

Download
memory/2900-6204-0x0000000005150000-0x00000000051E2000-memory.dmp

Filesize
584KB

Download
memory/2900-6205-0x00000000050F0000-0x00000000050FA000-memory.dmp

Filesize
40KB

Download
memory/2900-6046-0x00000000003D0000-0x00000000003E6000-memory.dmp

Filesize
88KB

Download
memory/2900-6223-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/2900-6203-0x0000000005560000-0x0000000005B06000-memory.dmp

Filesize
5.6MB

Download
memory/3040-1275-0x000000001C640000-0x000000001C648000-memory.dmp

Filesize
32KB

Download
memory/3068-6314-0x00007FF72CF20000-0x00007FF72DE3F000-memory.dmp

Filesize
15.1MB

Download
memory/3068-6199-0x00007FF72CF20000-0x00007FF72DE3F000-memory.dmp

Filesize
15.1MB

Download
memory/3068-6284-0x00007FF72CF20000-0x00007FF72DE3F000-memory.dmp

Filesize
15.1MB

Download
memory/3144-75-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/3356-842-0x000000001C280000-0x000000001C292000-memory.dmp

Filesize
72KB

Download
memory/3356-184-0x0000000000610000-0x0000000000668000-memory.dmp

Filesize
352KB

Download
memory/3356-841-0x000000001D7E0000-0x000000001D8EA000-memory.dmp

Filesize
1.0MB

Download
memory/3400-23-0x0000000074A80000-0x0000000075231000-memory.dmp

Filesize
7.7MB

Download
memory/3400-33-0x0000000074A80000-0x0000000075231000-memory.dmp

Filesize
7.7MB

Download
memory/3400-16-0x0000000074A80000-0x0000000075231000-memory.dmp

Filesize
7.7MB

Download
memory/3400-15-0x00000000003D0000-0x000000000047E000-memory.dmp

Filesize
696KB

Download
memory/3480-9783-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/3544-6233-0x0000000000DD0000-0x0000000000DE8000-memory.dmp

Filesize
96KB

Download
memory/3756-227-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-233-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-203-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-201-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-229-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-237-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-239-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-241-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-243-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-225-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-245-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-247-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-249-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-200-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-223-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-1285-0x00000279B0320000-0x00000279B036C000-memory.dmp

Filesize
304KB

Download
memory/3756-221-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-1284-0x00000279B01F0000-0x00000279B031A000-memory.dmp

Filesize
1.2MB

Download
memory/3756-219-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-231-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-217-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-209-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-215-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-213-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-211-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-235-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-207-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-205-0x00000279B0040000-0x00000279B01EA000-memory.dmp

Filesize
1.7MB

Download
memory/3756-199-0x00000279B0040000-0x00000279B01F0000-memory.dmp

Filesize
1.7MB

Download
memory/3756-198-0x0000027995890000-0x0000027995A5A000-memory.dmp

Filesize
1.8MB

Download
memory/3756-1826-0x00000279B0EF0000-0x00000279B0F44000-memory.dmp

Filesize
336KB

Download
memory/3872-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/3872-3-0x0000000074A80000-0x0000000075231000-memory.dmp

Filesize
7.7MB

Download
memory/3872-2-0x0000000004F20000-0x0000000004FBC000-memory.dmp

Filesize
624KB

Download
memory/3872-93-0x0000000074A80000-0x0000000075231000-memory.dmp

Filesize
7.7MB

Download
memory/3872-92-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/3872-1-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/3872-10093-0x0000000074A80000-0x0000000075231000-memory.dmp

Filesize
7.7MB

Download
memory/3888-9393-0x0000023E7AC80000-0x0000023E7AD33000-memory.dmp

Filesize
716KB

Download
memory/3912-29-0x0000000000170000-0x00000000001C4000-memory.dmp

Filesize
336KB

Download
memory/3912-32-0x0000000000170000-0x00000000001C4000-memory.dmp

Filesize
336KB

Download
memory/3912-24-0x0000000000170000-0x00000000001C4000-memory.dmp

Filesize
336KB

Download
memory/4128-158-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4128-161-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4128-183-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4128-160-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4196-67-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/4220-113-0x00000000001A0000-0x00000000004C4000-memory.dmp

Filesize
3.1MB

Download
memory/4232-5967-0x00007FF651740000-0x00007FF651977000-memory.dmp

Filesize
2.2MB

Download
memory/4232-5964-0x00007FF651740000-0x00007FF651977000-memory.dmp

Filesize
2.2MB

Download
memory/4264-9494-0x00007FF6D07F0000-0x00007FF6D170F000-memory.dmp

Filesize
15.1MB

Download
memory/4264-9538-0x00007FF6D07F0000-0x00007FF6D170F000-memory.dmp

Filesize
15.1MB

Download
memory/4544-87-0x0000015FEB9D0000-0x0000015FEBA3E000-memory.dmp

Filesize
440KB

Download
memory/4544-91-0x0000015FEE0F0000-0x0000015FEE0FE000-memory.dmp

Filesize
56KB

Download
memory/4544-90-0x0000015FF1210000-0x0000015FF1248000-memory.dmp

Filesize
224KB

Download
memory/4544-88-0x0000015FEE310000-0x0000015FEE386000-memory.dmp

Filesize
472KB

Download
memory/4544-89-0x0000015FEE0C0000-0x0000015FEE0C8000-memory.dmp

Filesize
32KB

Download
memory/4836-1830-0x00000211C6620000-0x00000211C672E000-memory.dmp

Filesize
1.1MB

Download
memory/4836-4745-0x00000211ADDD0000-0x00000211ADE6E000-memory.dmp

Filesize
632KB

Download
memory/5036-6175-0x0000000000FC0000-0x0000000001010000-memory.dmp

Filesize
320KB

Download
memory/5568-6410-0x0000000000FC0000-0x000000000111E000-memory.dmp

Filesize
1.4MB

Download
memory/5612-9405-0x00007FF785160000-0x00007FF78607F000-memory.dmp

Filesize
15.1MB

Download
memory/5612-9448-0x00007FF785160000-0x00007FF78607F000-memory.dmp

Filesize
15.1MB

Download
memory/5732-5864-0x0000000000010000-0x00000000000AA000-memory.dmp

Filesize
616KB

Download
memory/5732-5871-0x000000001D230000-0x000000001D2A6000-memory.dmp

Filesize
472KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads