Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 02:49

General

  • Target

    file.exe

  • Size

    3.1MB

  • MD5

    4e9120d95d0a175a67c0b05467c1bcf7

  • SHA1

    12e5e1e20e332613c76405413fa43c6f849e2bed

  • SHA256

    1501439c043fd8b50716cb78d934be2019cc6e19afd3d43e19c350a80e1a1e03

  • SHA512

    022927af2ed93d48ce28933e7e07dbe0ee852d368ca31cd469421d6792686548e047e4a083ccc619a1a6845195099891b8f48f02999d123f1c2bd4550605c6ef

  • SSDEEP

    49152:kJgKpKlq3ft/7sbpz27jkbxaGqHxisWbymn4PkLqHrBW2A:ugKUaft/7sbpWjua33awPkLc

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • Gcleaner family
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • XMRig Miner payload 10 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 27 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 44 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 64 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 64 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Kills process with taskkill 5 IoCs
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 20 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Users\Admin\AppData\Local\Temp\1014365001\W4KLQf7.exe
        "C:\Users\Admin\AppData\Local\Temp\1014365001\W4KLQf7.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2936
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1740
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers system information
          PID:1980
      • C:\Users\Admin\AppData\Local\Temp\1014430001\dwVrTdy.exe
        "C:\Users\Admin\AppData\Local\Temp\1014430001\dwVrTdy.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Program Files\Windows Media Player\graph\graph.exe
          "C:\Program Files\Windows Media Player\graph\graph.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2472
      • C:\Users\Admin\AppData\Local\Temp\1014431001\AzVRM7c.exe
        "C:\Users\Admin\AppData\Local\Temp\1014431001\AzVRM7c.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Program Files\Windows Media Player\graph\graph.exe
          "C:\Program Files\Windows Media Player\graph\graph.exe"
          4⤵
          • Executes dropped EXE
          PID:1964
      • C:\Users\Admin\AppData\Local\Temp\1014432001\t5abhIx.exe
        "C:\Users\Admin\AppData\Local\Temp\1014432001\t5abhIx.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        PID:1368
      • C:\Users\Admin\AppData\Local\Temp\1014564001\9JTVo50.exe
        "C:\Users\Admin\AppData\Local\Temp\1014564001\9JTVo50.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2568
      • C:\Users\Admin\AppData\Local\Temp\1014611001\WkfyDiO.exe
        "C:\Users\Admin\AppData\Local\Temp\1014611001\WkfyDiO.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp59B4.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp59B4.tmp.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2856
          • C:\Windows\system32\chcp.com
            chcp 65001
            5⤵
              PID:1676
            • C:\Windows\system32\tasklist.exe
              Tasklist /fi "PID eq 2776"
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1328
            • C:\Windows\system32\find.exe
              find ":"
              5⤵
                PID:1296
              • C:\Windows\system32\timeout.exe
                Timeout /T 1 /Nobreak
                5⤵
                  PID:2032
                • C:\Windows\system32\tasklist.exe
                  Tasklist /fi "PID eq 2776"
                  5⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:612
                • C:\Windows\system32\find.exe
                  find ":"
                  5⤵
                    PID:832
                  • C:\Windows\system32\timeout.exe
                    Timeout /T 1 /Nobreak
                    5⤵
                    • Delays execution with timeout.exe
                    PID:1924
                  • C:\Windows\system32\tasklist.exe
                    Tasklist /fi "PID eq 2776"
                    5⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3060
                  • C:\Windows\system32\find.exe
                    find ":"
                    5⤵
                      PID:2220
                    • C:\Windows\system32\timeout.exe
                      Timeout /T 1 /Nobreak
                      5⤵
                      • Delays execution with timeout.exe
                      PID:1508
                    • C:\Windows\system32\tasklist.exe
                      Tasklist /fi "PID eq 2776"
                      5⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1492
                    • C:\Windows\system32\find.exe
                      find ":"
                      5⤵
                        PID:1740
                      • C:\Windows\system32\timeout.exe
                        Timeout /T 1 /Nobreak
                        5⤵
                        • Delays execution with timeout.exe
                        PID:3032
                      • C:\Windows\system32\tasklist.exe
                        Tasklist /fi "PID eq 2776"
                        5⤵
                        • Enumerates processes with tasklist
                        • Suspicious use of AdjustPrivilegeToken
                        PID:824
                      • C:\Windows\system32\find.exe
                        find ":"
                        5⤵
                          PID:2084
                        • C:\Windows\system32\timeout.exe
                          Timeout /T 1 /Nobreak
                          5⤵
                          • Delays execution with timeout.exe
                          PID:2304
                        • C:\Windows\system32\tasklist.exe
                          Tasklist /fi "PID eq 2776"
                          5⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2700
                        • C:\Windows\system32\find.exe
                          find ":"
                          5⤵
                            PID:1028
                          • C:\Windows\system32\timeout.exe
                            Timeout /T 1 /Nobreak
                            5⤵
                              PID:1108
                            • C:\Windows\system32\tasklist.exe
                              Tasklist /fi "PID eq 2776"
                              5⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1264
                            • C:\Windows\system32\find.exe
                              find ":"
                              5⤵
                                PID:1328
                              • C:\Windows\system32\timeout.exe
                                Timeout /T 1 /Nobreak
                                5⤵
                                • Delays execution with timeout.exe
                                PID:544
                              • C:\Windows\system32\tasklist.exe
                                Tasklist /fi "PID eq 2776"
                                5⤵
                                • Enumerates processes with tasklist
                                • Suspicious use of AdjustPrivilegeToken
                                PID:580
                              • C:\Windows\system32\find.exe
                                find ":"
                                5⤵
                                  PID:1508
                                • C:\Windows\system32\timeout.exe
                                  Timeout /T 1 /Nobreak
                                  5⤵
                                  • Delays execution with timeout.exe
                                  PID:1672
                                • C:\Windows\system32\tasklist.exe
                                  Tasklist /fi "PID eq 2776"
                                  5⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1308
                                • C:\Windows\system32\find.exe
                                  find ":"
                                  5⤵
                                    PID:1092
                                  • C:\Windows\system32\timeout.exe
                                    Timeout /T 1 /Nobreak
                                    5⤵
                                    • Delays execution with timeout.exe
                                    PID:3864
                                  • C:\Windows\system32\tasklist.exe
                                    Tasklist /fi "PID eq 2776"
                                    5⤵
                                    • Enumerates processes with tasklist
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4016
                                  • C:\Windows\system32\find.exe
                                    find ":"
                                    5⤵
                                      PID:4024
                                    • C:\Windows\system32\timeout.exe
                                      Timeout /T 1 /Nobreak
                                      5⤵
                                      • Delays execution with timeout.exe
                                      PID:920
                                    • C:\Windows\system32\tasklist.exe
                                      Tasklist /fi "PID eq 2776"
                                      5⤵
                                      • Enumerates processes with tasklist
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3216
                                    • C:\Windows\system32\find.exe
                                      find ":"
                                      5⤵
                                        PID:3236
                                      • C:\Windows\system32\timeout.exe
                                        Timeout /T 1 /Nobreak
                                        5⤵
                                          PID:1756
                                        • C:\Windows\system32\tasklist.exe
                                          Tasklist /fi "PID eq 2776"
                                          5⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3680
                                        • C:\Windows\system32\find.exe
                                          find ":"
                                          5⤵
                                            PID:3652
                                          • C:\Windows\system32\timeout.exe
                                            Timeout /T 1 /Nobreak
                                            5⤵
                                            • Delays execution with timeout.exe
                                            PID:3092
                                          • C:\Windows\system32\tasklist.exe
                                            Tasklist /fi "PID eq 2776"
                                            5⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3192
                                          • C:\Windows\system32\find.exe
                                            find ":"
                                            5⤵
                                              PID:920
                                            • C:\Windows\system32\timeout.exe
                                              Timeout /T 1 /Nobreak
                                              5⤵
                                              • Delays execution with timeout.exe
                                              PID:3216
                                            • C:\Windows\system32\tasklist.exe
                                              Tasklist /fi "PID eq 2776"
                                              5⤵
                                              • Enumerates processes with tasklist
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3172
                                            • C:\Windows\system32\find.exe
                                              find ":"
                                              5⤵
                                                PID:3280
                                              • C:\Windows\system32\timeout.exe
                                                Timeout /T 1 /Nobreak
                                                5⤵
                                                • Delays execution with timeout.exe
                                                PID:3828
                                              • C:\Windows\system32\tasklist.exe
                                                Tasklist /fi "PID eq 2776"
                                                5⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3324
                                              • C:\Windows\system32\find.exe
                                                find ":"
                                                5⤵
                                                  PID:2076
                                                • C:\Windows\system32\timeout.exe
                                                  Timeout /T 1 /Nobreak
                                                  5⤵
                                                    PID:1268
                                                  • C:\Windows\system32\tasklist.exe
                                                    Tasklist /fi "PID eq 2776"
                                                    5⤵
                                                    • Enumerates processes with tasklist
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3544
                                                  • C:\Windows\system32\find.exe
                                                    find ":"
                                                    5⤵
                                                      PID:3536
                                                    • C:\Windows\system32\timeout.exe
                                                      Timeout /T 1 /Nobreak
                                                      5⤵
                                                      • Delays execution with timeout.exe
                                                      PID:3236
                                                    • C:\Windows\system32\tasklist.exe
                                                      Tasklist /fi "PID eq 2776"
                                                      5⤵
                                                      • Enumerates processes with tasklist
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3172
                                                    • C:\Windows\system32\find.exe
                                                      find ":"
                                                      5⤵
                                                        PID:3280
                                                      • C:\Windows\system32\timeout.exe
                                                        Timeout /T 1 /Nobreak
                                                        5⤵
                                                        • Delays execution with timeout.exe
                                                        PID:3108
                                                      • C:\Windows\system32\tasklist.exe
                                                        Tasklist /fi "PID eq 2776"
                                                        5⤵
                                                        • Enumerates processes with tasklist
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3392
                                                      • C:\Windows\system32\find.exe
                                                        find ":"
                                                        5⤵
                                                          PID:2628
                                                        • C:\Windows\system32\timeout.exe
                                                          Timeout /T 1 /Nobreak
                                                          5⤵
                                                            PID:3364
                                                          • C:\Windows\system32\tasklist.exe
                                                            Tasklist /fi "PID eq 2776"
                                                            5⤵
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:3536
                                                          • C:\Windows\system32\find.exe
                                                            find ":"
                                                            5⤵
                                                              PID:3684
                                                            • C:\Windows\system32\timeout.exe
                                                              Timeout /T 1 /Nobreak
                                                              5⤵
                                                              • Delays execution with timeout.exe
                                                              PID:1476
                                                            • C:\Windows\system32\tasklist.exe
                                                              Tasklist /fi "PID eq 2776"
                                                              5⤵
                                                              • Enumerates processes with tasklist
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:3180
                                                            • C:\Windows\system32\find.exe
                                                              find ":"
                                                              5⤵
                                                                PID:3236
                                                              • C:\Windows\system32\timeout.exe
                                                                Timeout /T 1 /Nobreak
                                                                5⤵
                                                                  PID:2368
                                                                • C:\Windows\system32\tasklist.exe
                                                                  Tasklist /fi "PID eq 2776"
                                                                  5⤵
                                                                  • Enumerates processes with tasklist
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:3324
                                                                • C:\Windows\system32\find.exe
                                                                  find ":"
                                                                  5⤵
                                                                    PID:3100
                                                                  • C:\Windows\system32\timeout.exe
                                                                    Timeout /T 1 /Nobreak
                                                                    5⤵
                                                                      PID:2688
                                                                    • C:\Windows\system32\tasklist.exe
                                                                      Tasklist /fi "PID eq 2776"
                                                                      5⤵
                                                                      • Enumerates processes with tasklist
                                                                      PID:3316
                                                                    • C:\Windows\system32\find.exe
                                                                      find ":"
                                                                      5⤵
                                                                        PID:3260
                                                                      • C:\Windows\system32\timeout.exe
                                                                        Timeout /T 1 /Nobreak
                                                                        5⤵
                                                                        • Delays execution with timeout.exe
                                                                        PID:3312
                                                                      • C:\Windows\system32\tasklist.exe
                                                                        Tasklist /fi "PID eq 2776"
                                                                        5⤵
                                                                        • Enumerates processes with tasklist
                                                                        PID:3544
                                                                      • C:\Windows\system32\find.exe
                                                                        find ":"
                                                                        5⤵
                                                                          PID:3088
                                                                        • C:\Windows\system32\timeout.exe
                                                                          Timeout /T 1 /Nobreak
                                                                          5⤵
                                                                          • Delays execution with timeout.exe
                                                                          PID:3296
                                                                        • C:\Windows\system32\tasklist.exe
                                                                          Tasklist /fi "PID eq 2776"
                                                                          5⤵
                                                                          • Enumerates processes with tasklist
                                                                          PID:3676
                                                                        • C:\Windows\system32\find.exe
                                                                          find ":"
                                                                          5⤵
                                                                            PID:2248
                                                                          • C:\Windows\system32\timeout.exe
                                                                            Timeout /T 1 /Nobreak
                                                                            5⤵
                                                                              PID:3876
                                                                            • C:\Windows\system32\tasklist.exe
                                                                              Tasklist /fi "PID eq 2776"
                                                                              5⤵
                                                                              • Enumerates processes with tasklist
                                                                              PID:3868
                                                                            • C:\Windows\system32\find.exe
                                                                              find ":"
                                                                              5⤵
                                                                                PID:3376
                                                                              • C:\Windows\system32\timeout.exe
                                                                                Timeout /T 1 /Nobreak
                                                                                5⤵
                                                                                  PID:2220
                                                                                • C:\Windows\system32\tasklist.exe
                                                                                  Tasklist /fi "PID eq 2776"
                                                                                  5⤵
                                                                                    PID:4088
                                                                                  • C:\Windows\system32\find.exe
                                                                                    find ":"
                                                                                    5⤵
                                                                                      PID:4092
                                                                                    • C:\Windows\system32\timeout.exe
                                                                                      Timeout /T 1 /Nobreak
                                                                                      5⤵
                                                                                      • Delays execution with timeout.exe
                                                                                      PID:3636
                                                                                    • C:\Windows\system32\tasklist.exe
                                                                                      Tasklist /fi "PID eq 2776"
                                                                                      5⤵
                                                                                      • Enumerates processes with tasklist
                                                                                      PID:3864
                                                                                    • C:\Windows\system32\find.exe
                                                                                      find ":"
                                                                                      5⤵
                                                                                        PID:1108
                                                                                      • C:\Windows\system32\timeout.exe
                                                                                        Timeout /T 1 /Nobreak
                                                                                        5⤵
                                                                                        • Delays execution with timeout.exe
                                                                                        PID:928
                                                                                      • C:\Windows\system32\tasklist.exe
                                                                                        Tasklist /fi "PID eq 2776"
                                                                                        5⤵
                                                                                        • Enumerates processes with tasklist
                                                                                        PID:1968
                                                                                      • C:\Windows\system32\find.exe
                                                                                        find ":"
                                                                                        5⤵
                                                                                          PID:3888
                                                                                        • C:\Windows\system32\timeout.exe
                                                                                          Timeout /T 1 /Nobreak
                                                                                          5⤵
                                                                                          • Delays execution with timeout.exe
                                                                                          PID:3880
                                                                                        • C:\Windows\system32\tasklist.exe
                                                                                          Tasklist /fi "PID eq 2776"
                                                                                          5⤵
                                                                                          • Enumerates processes with tasklist
                                                                                          PID:3640
                                                                                        • C:\Windows\system32\find.exe
                                                                                          find ":"
                                                                                          5⤵
                                                                                            PID:2024
                                                                                          • C:\Windows\system32\timeout.exe
                                                                                            Timeout /T 1 /Nobreak
                                                                                            5⤵
                                                                                              PID:2616
                                                                                            • C:\Windows\system32\tasklist.exe
                                                                                              Tasklist /fi "PID eq 2776"
                                                                                              5⤵
                                                                                              • Enumerates processes with tasklist
                                                                                              PID:3100
                                                                                            • C:\Windows\system32\find.exe
                                                                                              find ":"
                                                                                              5⤵
                                                                                                PID:3324
                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                Timeout /T 1 /Nobreak
                                                                                                5⤵
                                                                                                • Delays execution with timeout.exe
                                                                                                PID:3104
                                                                                              • C:\Windows\system32\tasklist.exe
                                                                                                Tasklist /fi "PID eq 2776"
                                                                                                5⤵
                                                                                                • Enumerates processes with tasklist
                                                                                                PID:2312
                                                                                              • C:\Windows\system32\find.exe
                                                                                                find ":"
                                                                                                5⤵
                                                                                                  PID:2244
                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                  Timeout /T 1 /Nobreak
                                                                                                  5⤵
                                                                                                  • Delays execution with timeout.exe
                                                                                                  PID:3112
                                                                                                • C:\Windows\system32\tasklist.exe
                                                                                                  Tasklist /fi "PID eq 2776"
                                                                                                  5⤵
                                                                                                  • Enumerates processes with tasklist
                                                                                                  PID:2628
                                                                                                • C:\Windows\system32\find.exe
                                                                                                  find ":"
                                                                                                  5⤵
                                                                                                    PID:3392
                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                    Timeout /T 1 /Nobreak
                                                                                                    5⤵
                                                                                                    • Delays execution with timeout.exe
                                                                                                    PID:3444
                                                                                                  • C:\Windows\system32\tasklist.exe
                                                                                                    Tasklist /fi "PID eq 2776"
                                                                                                    5⤵
                                                                                                    • Enumerates processes with tasklist
                                                                                                    PID:4084
                                                                                                  • C:\Windows\system32\find.exe
                                                                                                    find ":"
                                                                                                    5⤵
                                                                                                      PID:3696
                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                      Timeout /T 1 /Nobreak
                                                                                                      5⤵
                                                                                                      • Delays execution with timeout.exe
                                                                                                      PID:1264
                                                                                                    • C:\Windows\system32\tasklist.exe
                                                                                                      Tasklist /fi "PID eq 2776"
                                                                                                      5⤵
                                                                                                      • Enumerates processes with tasklist
                                                                                                      PID:3556
                                                                                                    • C:\Windows\system32\find.exe
                                                                                                      find ":"
                                                                                                      5⤵
                                                                                                        PID:3148
                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                        Timeout /T 1 /Nobreak
                                                                                                        5⤵
                                                                                                        • Delays execution with timeout.exe
                                                                                                        PID:3188
                                                                                                      • C:\Windows\system32\tasklist.exe
                                                                                                        Tasklist /fi "PID eq 2776"
                                                                                                        5⤵
                                                                                                        • Enumerates processes with tasklist
                                                                                                        PID:3864
                                                                                                      • C:\Windows\system32\find.exe
                                                                                                        find ":"
                                                                                                        5⤵
                                                                                                          PID:1108
                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                          Timeout /T 1 /Nobreak
                                                                                                          5⤵
                                                                                                            PID:4008
                                                                                                          • C:\Windows\system32\tasklist.exe
                                                                                                            Tasklist /fi "PID eq 2776"
                                                                                                            5⤵
                                                                                                            • Enumerates processes with tasklist
                                                                                                            PID:928
                                                                                                          • C:\Windows\system32\find.exe
                                                                                                            find ":"
                                                                                                            5⤵
                                                                                                              PID:4044
                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                              Timeout /T 1 /Nobreak
                                                                                                              5⤵
                                                                                                              • Delays execution with timeout.exe
                                                                                                              PID:3888
                                                                                                            • C:\Windows\system32\tasklist.exe
                                                                                                              Tasklist /fi "PID eq 2776"
                                                                                                              5⤵
                                                                                                              • Enumerates processes with tasklist
                                                                                                              PID:1444
                                                                                                            • C:\Windows\system32\find.exe
                                                                                                              find ":"
                                                                                                              5⤵
                                                                                                                PID:852
                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                Timeout /T 1 /Nobreak
                                                                                                                5⤵
                                                                                                                • Delays execution with timeout.exe
                                                                                                                PID:2840
                                                                                                              • C:\Windows\system32\tasklist.exe
                                                                                                                Tasklist /fi "PID eq 2776"
                                                                                                                5⤵
                                                                                                                • Enumerates processes with tasklist
                                                                                                                PID:2616
                                                                                                              • C:\Windows\system32\find.exe
                                                                                                                find ":"
                                                                                                                5⤵
                                                                                                                  PID:3644
                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                  Timeout /T 1 /Nobreak
                                                                                                                  5⤵
                                                                                                                  • Delays execution with timeout.exe
                                                                                                                  PID:3324
                                                                                                                • C:\Windows\system32\tasklist.exe
                                                                                                                  Tasklist /fi "PID eq 2776"
                                                                                                                  5⤵
                                                                                                                  • Enumerates processes with tasklist
                                                                                                                  PID:1956
                                                                                                                • C:\Windows\system32\find.exe
                                                                                                                  find ":"
                                                                                                                  5⤵
                                                                                                                    PID:2772
                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                    Timeout /T 1 /Nobreak
                                                                                                                    5⤵
                                                                                                                    • Delays execution with timeout.exe
                                                                                                                    PID:2052
                                                                                                                  • C:\Windows\system32\tasklist.exe
                                                                                                                    Tasklist /fi "PID eq 2776"
                                                                                                                    5⤵
                                                                                                                    • Enumerates processes with tasklist
                                                                                                                    PID:2172
                                                                                                                  • C:\Windows\system32\find.exe
                                                                                                                    find ":"
                                                                                                                    5⤵
                                                                                                                      PID:3320
                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                      Timeout /T 1 /Nobreak
                                                                                                                      5⤵
                                                                                                                      • Delays execution with timeout.exe
                                                                                                                      PID:3540
                                                                                                                    • C:\Windows\system32\tasklist.exe
                                                                                                                      Tasklist /fi "PID eq 2776"
                                                                                                                      5⤵
                                                                                                                      • Enumerates processes with tasklist
                                                                                                                      PID:3560
                                                                                                                    • C:\Windows\system32\find.exe
                                                                                                                      find ":"
                                                                                                                      5⤵
                                                                                                                        PID:3368
                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                        Timeout /T 1 /Nobreak
                                                                                                                        5⤵
                                                                                                                        • Delays execution with timeout.exe
                                                                                                                        PID:3336
                                                                                                                      • C:\Windows\system32\tasklist.exe
                                                                                                                        Tasklist /fi "PID eq 2776"
                                                                                                                        5⤵
                                                                                                                          PID:3316
                                                                                                                        • C:\Windows\system32\find.exe
                                                                                                                          find ":"
                                                                                                                          5⤵
                                                                                                                            PID:3232
                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                            Timeout /T 1 /Nobreak
                                                                                                                            5⤵
                                                                                                                              PID:2736
                                                                                                                            • C:\Windows\system32\tasklist.exe
                                                                                                                              Tasklist /fi "PID eq 2776"
                                                                                                                              5⤵
                                                                                                                              • Enumerates processes with tasklist
                                                                                                                              PID:3264
                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                              find ":"
                                                                                                                              5⤵
                                                                                                                                PID:2684
                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                Timeout /T 1 /Nobreak
                                                                                                                                5⤵
                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                PID:3156
                                                                                                                              • C:\Windows\system32\tasklist.exe
                                                                                                                                Tasklist /fi "PID eq 2776"
                                                                                                                                5⤵
                                                                                                                                • Enumerates processes with tasklist
                                                                                                                                PID:3340
                                                                                                                              • C:\Windows\system32\find.exe
                                                                                                                                find ":"
                                                                                                                                5⤵
                                                                                                                                  PID:3076
                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                  Timeout /T 1 /Nobreak
                                                                                                                                  5⤵
                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                  PID:4080
                                                                                                                                • C:\Windows\system32\tasklist.exe
                                                                                                                                  Tasklist /fi "PID eq 2776"
                                                                                                                                  5⤵
                                                                                                                                  • Enumerates processes with tasklist
                                                                                                                                  PID:2376
                                                                                                                                • C:\Windows\system32\find.exe
                                                                                                                                  find ":"
                                                                                                                                  5⤵
                                                                                                                                    PID:3544
                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                    Timeout /T 1 /Nobreak
                                                                                                                                    5⤵
                                                                                                                                      PID:3296
                                                                                                                                    • C:\Windows\system32\tasklist.exe
                                                                                                                                      Tasklist /fi "PID eq 2776"
                                                                                                                                      5⤵
                                                                                                                                        PID:2276
                                                                                                                                      • C:\Windows\system32\find.exe
                                                                                                                                        find ":"
                                                                                                                                        5⤵
                                                                                                                                          PID:3552
                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                          Timeout /T 1 /Nobreak
                                                                                                                                          5⤵
                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                          PID:1264
                                                                                                                                        • C:\Windows\system32\tasklist.exe
                                                                                                                                          Tasklist /fi "PID eq 2776"
                                                                                                                                          5⤵
                                                                                                                                            PID:3684
                                                                                                                                          • C:\Windows\system32\find.exe
                                                                                                                                            find ":"
                                                                                                                                            5⤵
                                                                                                                                              PID:3376
                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                              Timeout /T 1 /Nobreak
                                                                                                                                              5⤵
                                                                                                                                                PID:3216
                                                                                                                                              • C:\Windows\system32\tasklist.exe
                                                                                                                                                Tasklist /fi "PID eq 2776"
                                                                                                                                                5⤵
                                                                                                                                                  PID:3692
                                                                                                                                                • C:\Windows\system32\find.exe
                                                                                                                                                  find ":"
                                                                                                                                                  5⤵
                                                                                                                                                    PID:3628
                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                    Timeout /T 1 /Nobreak
                                                                                                                                                    5⤵
                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                    PID:3824
                                                                                                                                                  • C:\Windows\system32\tasklist.exe
                                                                                                                                                    Tasklist /fi "PID eq 2776"
                                                                                                                                                    5⤵
                                                                                                                                                    • Enumerates processes with tasklist
                                                                                                                                                    PID:3208
                                                                                                                                                  • C:\Windows\system32\find.exe
                                                                                                                                                    find ":"
                                                                                                                                                    5⤵
                                                                                                                                                      PID:2016
                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                      Timeout /T 1 /Nobreak
                                                                                                                                                      5⤵
                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                      PID:3188
                                                                                                                                                    • C:\Windows\system32\tasklist.exe
                                                                                                                                                      Tasklist /fi "PID eq 2776"
                                                                                                                                                      5⤵
                                                                                                                                                        PID:3268
                                                                                                                                                      • C:\Windows\system32\find.exe
                                                                                                                                                        find ":"
                                                                                                                                                        5⤵
                                                                                                                                                          PID:292
                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                          Timeout /T 1 /Nobreak
                                                                                                                                                          5⤵
                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                          PID:3668
                                                                                                                                                        • C:\Windows\system32\tasklist.exe
                                                                                                                                                          Tasklist /fi "PID eq 2776"
                                                                                                                                                          5⤵
                                                                                                                                                            PID:3388
                                                                                                                                                          • C:\Windows\system32\find.exe
                                                                                                                                                            find ":"
                                                                                                                                                            5⤵
                                                                                                                                                              PID:3832
                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                              Timeout /T 1 /Nobreak
                                                                                                                                                              5⤵
                                                                                                                                                                PID:3380
                                                                                                                                                              • C:\Windows\system32\tasklist.exe
                                                                                                                                                                Tasklist /fi "PID eq 2776"
                                                                                                                                                                5⤵
                                                                                                                                                                • Enumerates processes with tasklist
                                                                                                                                                                PID:2024
                                                                                                                                                              • C:\Windows\system32\find.exe
                                                                                                                                                                find ":"
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:1796
                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                  Timeout /T 1 /Nobreak
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:1000
                                                                                                                                                                  • C:\Windows\system32\tasklist.exe
                                                                                                                                                                    Tasklist /fi "PID eq 2776"
                                                                                                                                                                    5⤵
                                                                                                                                                                    • Enumerates processes with tasklist
                                                                                                                                                                    PID:3880
                                                                                                                                                                  • C:\Windows\system32\find.exe
                                                                                                                                                                    find ":"
                                                                                                                                                                    5⤵
                                                                                                                                                                      PID:2868
                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                      Timeout /T 1 /Nobreak
                                                                                                                                                                      5⤵
                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                      PID:2144
                                                                                                                                                                    • C:\Windows\system32\tasklist.exe
                                                                                                                                                                      Tasklist /fi "PID eq 2776"
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:2616
                                                                                                                                                                      • C:\Windows\system32\find.exe
                                                                                                                                                                        find ":"
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:2648
                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                          Timeout /T 1 /Nobreak
                                                                                                                                                                          5⤵
                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                          PID:2828
                                                                                                                                                                        • C:\Windows\system32\tasklist.exe
                                                                                                                                                                          Tasklist /fi "PID eq 2776"
                                                                                                                                                                          5⤵
                                                                                                                                                                            PID:2768
                                                                                                                                                                          • C:\Windows\system32\find.exe
                                                                                                                                                                            find ":"
                                                                                                                                                                            5⤵
                                                                                                                                                                              PID:2164
                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                              Timeout /T 1 /Nobreak
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:1920
                                                                                                                                                                              • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                Tasklist /fi "PID eq 2776"
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:3564
                                                                                                                                                                                • C:\Windows\system32\find.exe
                                                                                                                                                                                  find ":"
                                                                                                                                                                                  5⤵
                                                                                                                                                                                    PID:3240
                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                    Timeout /T 1 /Nobreak
                                                                                                                                                                                    5⤵
                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                    PID:3112
                                                                                                                                                                                  • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                    Tasklist /fi "PID eq 2776"
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:3192
                                                                                                                                                                                    • C:\Windows\system32\find.exe
                                                                                                                                                                                      find ":"
                                                                                                                                                                                      5⤵
                                                                                                                                                                                        PID:3056
                                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                                        Timeout /T 1 /Nobreak
                                                                                                                                                                                        5⤵
                                                                                                                                                                                          PID:1560
                                                                                                                                                                                        • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                          Tasklist /fi "PID eq 2776"
                                                                                                                                                                                          5⤵
                                                                                                                                                                                            PID:2904
                                                                                                                                                                                          • C:\Windows\system32\find.exe
                                                                                                                                                                                            find ":"
                                                                                                                                                                                            5⤵
                                                                                                                                                                                              PID:2100
                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                              Timeout /T 1 /Nobreak
                                                                                                                                                                                              5⤵
                                                                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                                                                              PID:1328
                                                                                                                                                                                            • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                              Tasklist /fi "PID eq 2776"
                                                                                                                                                                                              5⤵
                                                                                                                                                                                              • Enumerates processes with tasklist
                                                                                                                                                                                              PID:952
                                                                                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                                                                                              find ":"
                                                                                                                                                                                              5⤵
                                                                                                                                                                                                PID:2680
                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                Timeout /T 1 /Nobreak
                                                                                                                                                                                                5⤵
                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                PID:2684
                                                                                                                                                                                              • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                5⤵
                                                                                                                                                                                                  PID:3436
                                                                                                                                                                                                • C:\Windows\system32\find.exe
                                                                                                                                                                                                  find ":"
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                    PID:4080
                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                    Timeout /T 1 /Nobreak
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                      PID:3664
                                                                                                                                                                                                    • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                      Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                      • Enumerates processes with tasklist
                                                                                                                                                                                                      PID:3616
                                                                                                                                                                                                    • C:\Windows\system32\find.exe
                                                                                                                                                                                                      find ":"
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                        PID:3676
                                                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                        Timeout /T 1 /Nobreak
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                        • Delays execution with timeout.exe
                                                                                                                                                                                                        PID:4088
                                                                                                                                                                                                      • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                        Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:4092
                                                                                                                                                                                                        • C:\Windows\system32\find.exe
                                                                                                                                                                                                          find ":"
                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                            PID:3384
                                                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                            Timeout /T 1 /Nobreak
                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                                                                            PID:1756
                                                                                                                                                                                                          • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                            Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                            • Enumerates processes with tasklist
                                                                                                                                                                                                            PID:3700
                                                                                                                                                                                                          • C:\Windows\system32\find.exe
                                                                                                                                                                                                            find ":"
                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                              PID:3236
                                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                              Timeout /T 1 /Nobreak
                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                PID:944
                                                                                                                                                                                                              • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                  PID:1680
                                                                                                                                                                                                                • C:\Windows\system32\find.exe
                                                                                                                                                                                                                  find ":"
                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                    PID:3256
                                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                    Timeout /T 1 /Nobreak
                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                      PID:928
                                                                                                                                                                                                                    • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                      Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                      • Enumerates processes with tasklist
                                                                                                                                                                                                                      PID:3080
                                                                                                                                                                                                                    • C:\Windows\system32\find.exe
                                                                                                                                                                                                                      find ":"
                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                        PID:3388
                                                                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                        Timeout /T 1 /Nobreak
                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                        • Delays execution with timeout.exe
                                                                                                                                                                                                                        PID:1444
                                                                                                                                                                                                                      • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                        Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                        • Enumerates processes with tasklist
                                                                                                                                                                                                                        PID:3640
                                                                                                                                                                                                                      • C:\Windows\system32\find.exe
                                                                                                                                                                                                                        find ":"
                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                          PID:2024
                                                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                          Timeout /T 1 /Nobreak
                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                                                          PID:2076
                                                                                                                                                                                                                        • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                          Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                          • Enumerates processes with tasklist
                                                                                                                                                                                                                          PID:2988
                                                                                                                                                                                                                        • C:\Windows\system32\find.exe
                                                                                                                                                                                                                          find ":"
                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                            PID:2144
                                                                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                            Timeout /T 1 /Nobreak
                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                                                                                            PID:3524
                                                                                                                                                                                                                          • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                            Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                            • Enumerates processes with tasklist
                                                                                                                                                                                                                            PID:3104
                                                                                                                                                                                                                          • C:\Windows\system32\find.exe
                                                                                                                                                                                                                            find ":"
                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                              PID:2212
                                                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                              Timeout /T 1 /Nobreak
                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                PID:2180
                                                                                                                                                                                                                              • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                  PID:3252
                                                                                                                                                                                                                                • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                  find ":"
                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                    PID:3224
                                                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                    Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                                                    PID:3440
                                                                                                                                                                                                                                  • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                    Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                    • Enumerates processes with tasklist
                                                                                                                                                                                                                                    PID:3428
                                                                                                                                                                                                                                  • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                    find ":"
                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                      PID:3240
                                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                      Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                        PID:3392
                                                                                                                                                                                                                                      • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                        Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                        • Enumerates processes with tasklist
                                                                                                                                                                                                                                        PID:2628
                                                                                                                                                                                                                                      • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                        find ":"
                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                          PID:1344
                                                                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                          Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                                                                          PID:2452
                                                                                                                                                                                                                                        • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                          Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                          • Enumerates processes with tasklist
                                                                                                                                                                                                                                          PID:1536
                                                                                                                                                                                                                                        • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                          find ":"
                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                            PID:2100
                                                                                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                            Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                                                                                                            PID:3860
                                                                                                                                                                                                                                          • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                            Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                            • Enumerates processes with tasklist
                                                                                                                                                                                                                                            PID:3152
                                                                                                                                                                                                                                          • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                            find ":"
                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                              PID:3336
                                                                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                              Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                                                                                                                              PID:3176
                                                                                                                                                                                                                                            • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                              Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                PID:2584
                                                                                                                                                                                                                                              • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                find ":"
                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                  PID:3312
                                                                                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                  Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                                                                                                                  PID:3536
                                                                                                                                                                                                                                                • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                  Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                  • Enumerates processes with tasklist
                                                                                                                                                                                                                                                  PID:3436
                                                                                                                                                                                                                                                • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                  find ":"
                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                    PID:4080
                                                                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                    Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                                                                    PID:1264
                                                                                                                                                                                                                                                  • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                    Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                    • Enumerates processes with tasklist
                                                                                                                                                                                                                                                    PID:3552
                                                                                                                                                                                                                                                  • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                    find ":"
                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                      PID:3576
                                                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                      Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                                                      PID:2428
                                                                                                                                                                                                                                                    • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                      Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                      • Enumerates processes with tasklist
                                                                                                                                                                                                                                                      PID:1868
                                                                                                                                                                                                                                                    • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                      find ":"
                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                        PID:3856
                                                                                                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                        Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                          PID:3020
                                                                                                                                                                                                                                                        • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                          Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                          • Enumerates processes with tasklist
                                                                                                                                                                                                                                                          PID:3216
                                                                                                                                                                                                                                                        • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                          find ":"
                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                            PID:2512
                                                                                                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                            Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                              PID:2508
                                                                                                                                                                                                                                                            • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                              Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                              • Enumerates processes with tasklist
                                                                                                                                                                                                                                                              PID:1756
                                                                                                                                                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                              find ":"
                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                PID:2016
                                                                                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                PID:3700
                                                                                                                                                                                                                                                              • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                                Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                  PID:3596
                                                                                                                                                                                                                                                                • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                                  find ":"
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                    PID:3300
                                                                                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                    Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                    PID:920
                                                                                                                                                                                                                                                                  • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                                    Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                    • Enumerates processes with tasklist
                                                                                                                                                                                                                                                                    PID:3156
                                                                                                                                                                                                                                                                  • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                                    find ":"
                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                      PID:3884
                                                                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                      Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                      PID:3316
                                                                                                                                                                                                                                                                    • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                                      Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                      • Enumerates processes with tasklist
                                                                                                                                                                                                                                                                      PID:944
                                                                                                                                                                                                                                                                    • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                                      find ":"
                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                        PID:4044
                                                                                                                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                        Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                        • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                        PID:3256
                                                                                                                                                                                                                                                                      • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                                        Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                        • Enumerates processes with tasklist
                                                                                                                                                                                                                                                                        PID:2588
                                                                                                                                                                                                                                                                      • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                                        find ":"
                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                          PID:3784
                                                                                                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                          Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                          PID:2836
                                                                                                                                                                                                                                                                        • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                                          Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                          • Enumerates processes with tasklist
                                                                                                                                                                                                                                                                          PID:3388
                                                                                                                                                                                                                                                                        • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                                          find ":"
                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                            PID:4076
                                                                                                                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                            Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                              PID:3620
                                                                                                                                                                                                                                                                            • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                                              Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                              • Enumerates processes with tasklist
                                                                                                                                                                                                                                                                              PID:1796
                                                                                                                                                                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                                              find ":"
                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                PID:2232
                                                                                                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                PID:2800
                                                                                                                                                                                                                                                                              • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                                                Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Enumerates processes with tasklist
                                                                                                                                                                                                                                                                                PID:2988
                                                                                                                                                                                                                                                                              • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                                                find ":"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                  PID:2144
                                                                                                                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                  Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                  PID:1976
                                                                                                                                                                                                                                                                                • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                                                  Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                    PID:2772
                                                                                                                                                                                                                                                                                  • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                                                    find ":"
                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                      PID:1588
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                      Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                      PID:3308
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                                                      Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                        PID:2400
                                                                                                                                                                                                                                                                                      • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                                                        find ":"
                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                          PID:3560
                                                                                                                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                          Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                          PID:3540
                                                                                                                                                                                                                                                                                        • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                                                          Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                          • Enumerates processes with tasklist
                                                                                                                                                                                                                                                                                          PID:768
                                                                                                                                                                                                                                                                                        • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                                                          find ":"
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                            PID:2204
                                                                                                                                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                            Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                              PID:2688
                                                                                                                                                                                                                                                                                            • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                                                              Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                              • Enumerates processes with tasklist
                                                                                                                                                                                                                                                                                              PID:844
                                                                                                                                                                                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                                                              find ":"
                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                PID:2056
                                                                                                                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                  PID:2472
                                                                                                                                                                                                                                                                                                • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                                                                  Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                  • Enumerates processes with tasklist
                                                                                                                                                                                                                                                                                                  PID:3164
                                                                                                                                                                                                                                                                                                • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                                                                  find ":"
                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                    PID:1820
                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                    Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                      PID:2488
                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                                                                      Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                      • Enumerates processes with tasklist
                                                                                                                                                                                                                                                                                                      PID:2680
                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                                                                      find ":"
                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                        PID:3328
                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                        Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                          PID:1268
                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                                                                          Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                          • Enumerates processes with tasklist
                                                                                                                                                                                                                                                                                                          PID:3296
                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                                                                          find ":"
                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                            PID:1056
                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                            Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                            PID:4084
                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\tasklist.exe
                                                                                                                                                                                                                                                                                                            Tasklist /fi "PID eq 2776"
                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                              PID:3664
                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\find.exe
                                                                                                                                                                                                                                                                                                              find ":"
                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                PID:4024
                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                                Timeout /T 1 /Nobreak
                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                PID:2248
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1014616001\8554465a19.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\1014616001\8554465a19.exe"
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                            PID:1056
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1014617001\3da609c405.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\1014617001\3da609c405.exe"
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                            PID:1588
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                              taskkill /F /IM firefox.exe /T
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                              PID:2888
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                              taskkill /F /IM chrome.exe /T
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                              PID:2960
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                              taskkill /F /IM msedge.exe /T
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                              PID:1712
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                              taskkill /F /IM opera.exe /T
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                              PID:1136
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                              taskkill /F /IM brave.exe /T
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                              PID:1756
                                                                                                                                                                                                                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                PID:2880
                                                                                                                                                                                                                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                  PID:2632
                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2632.0.889163974\1770876692" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1092 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c02ff2fe-f673-48e8-a030-f7d76488847f} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" 1356 108d9b58 gpu
                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                      PID:2032
                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2632.1.130241572\1135538888" -parentBuildID 20221007134813 -prefsHandle 1536 -prefMapHandle 1532 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e86b6b6-e200-48e4-b2b5-58624372f94d} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" 1548 3decd58 socket
                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                        PID:2008
                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2632.2.1104981033\1348662543" -childID 1 -isForBrowser -prefsHandle 1968 -prefMapHandle 1964 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb8768d1-9936-408b-9fed-7e85380d703d} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" 1980 19168858 tab
                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                          PID:2928
                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2632.3.518085715\3615884" -childID 2 -isForBrowser -prefsHandle 2672 -prefMapHandle 2668 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {459a9fee-0c8f-4917-b709-139a361714ef} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" 2688 d64258 tab
                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                            PID:2096
                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2632.4.986579989\798769959" -childID 3 -isForBrowser -prefsHandle 3832 -prefMapHandle 3784 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa6eef1a-c558-4664-87cb-0dd6042b4ca0} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" 3620 1f7efc58 tab
                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                              PID:3396
                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2632.5.1713269195\177640181" -childID 4 -isForBrowser -prefsHandle 3940 -prefMapHandle 3944 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04380078-7495-43a7-a68f-a43a2226c7fd} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" 3928 20277658 tab
                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                PID:3404
                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2632.6.756747223\1318171671" -childID 5 -isForBrowser -prefsHandle 4108 -prefMapHandle 4112 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e8c5988-3d03-42ef-9f82-27ca64bd16e6} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" 4092 20278558 tab
                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                  PID:3412
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1014618001\9fa3e049c5.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\1014618001\9fa3e049c5.exe"
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                            • Identifies Wine through registry keys
                                                                                                                                                                                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                            PID:956
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1014619001\7598ef26ae.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\1014619001\7598ef26ae.exe"
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                                                                                                                                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                            • Identifies Wine through registry keys
                                                                                                                                                                                                                                                                                                                            • Windows security modification
                                                                                                                                                                                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                            PID:1920
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1014620001\06640124c4.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\1014620001\06640124c4.exe"
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                            • Identifies Wine through registry keys
                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                            PID:2132
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1014621001\f23b673027.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\1014621001\f23b673027.exe"
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                            PID:3248
                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                              PID:1992
                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\mode.com
                                                                                                                                                                                                                                                                                                                                mode 65,10
                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                  PID:1108
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                                                                                                                                  7z.exe e file.zip -p24291711423417250691697322505 -oextracted
                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                  PID:1672
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                                                                                                                                  7z.exe e extracted/file_7.zip -oextracted
                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                  PID:3176
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                                                                                                                                  7z.exe e extracted/file_6.zip -oextracted
                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                  PID:3360
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                                                                                                                                  7z.exe e extracted/file_5.zip -oextracted
                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                  PID:3344
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                                                                                                                                  7z.exe e extracted/file_4.zip -oextracted
                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                  PID:3272
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                                                                                                                                  7z.exe e extracted/file_3.zip -oextracted
                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                  PID:768
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                                                                                                                                  7z.exe e extracted/file_2.zip -oextracted
                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                  PID:3444
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                                                                                                                                  7z.exe e extracted/file_1.zip -oextracted
                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                  PID:3224
                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\attrib.exe
                                                                                                                                                                                                                                                                                                                                  attrib +H "in.exe"
                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                  • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                  PID:3540
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\main\in.exe
                                                                                                                                                                                                                                                                                                                                  "in.exe"
                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  PID:3560
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\attrib.exe
                                                                                                                                                                                                                                                                                                                                    attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                    PID:3576
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\attrib.exe
                                                                                                                                                                                                                                                                                                                                    attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                    • Views/modifies file attributes
                                                                                                                                                                                                                                                                                                                                    PID:3376
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                    schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                    PID:1756
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                    powershell ping 127.0.0.1; del in.exe
                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                    PID:852
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\PING.EXE
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\PING.EXE" 127.0.0.1
                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                      • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                      PID:3832
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1014622001\cfe580376d.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\1014622001\cfe580376d.exe"
                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                              PID:3816
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1014623001\835ab2b05d.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\1014623001\835ab2b05d.exe"
                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                              • Modifies system certificate store
                                                                                                                                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                              PID:4080
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014623001\835ab2b05d.exe" & rd /s /q "C:\ProgramData\HD2VK6XT2VAI" & exit
                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                PID:3224
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                  timeout /t 10
                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                  PID:3564
                                                                                                                                                                                                                                                                                                                        • C:\Windows\sysWOW64\wbem\wmiprvse.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                            PID:3680
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                                                                                                                                            taskeng.exe {A7D04A0A-2259-4EA8-8312-EF64FCE0C80B} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                            PID:544
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                              PID:3860
                                                                                                                                                                                                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                explorer.exe
                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                  PID:2408
                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                  powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                  PID:3316
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\PING.EXE
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\PING.EXE" 127.1.10.1
                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                    PID:3712

                                                                                                                                                                                                                                                                                                                            Network

                                                                                                                                                                                                                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                            Replay Monitor

                                                                                                                                                                                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                            Downloads

                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              153KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              f89267b24ecf471c16add613cec34473

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              c3aad9d69a3848cedb8912e237b06d21e1e9974f

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d

                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              120KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              53e54ac43786c11e0dde9db8f4eb27ab

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              9c5768d5ee037e90da77f174ef9401970060520e

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950

                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Windows Media Player\graph\graph.exe

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              245KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              7d254439af7b1caaa765420bea7fbd3f

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              854B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              e935bc5762068caf3e24a2683b1b8a88

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              82b70eb774c0756837fe8d7acbfeec05ecbf5463

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              717B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              822467b728b7a66b081c91795373789a

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              d8f2f02e1eef62485a9feffd59ce837511749865

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              2a4138dd60458fb6c2d7a17fc402cbc2

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              3a2c68692b65302765cd593b7852c17ee1819b96

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              9b141a980e2b427920a7f4dafacc0050d4cdaae902695b0b1d82ea1e92287f6c

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              1c09584fd223c143293247f50e817271a769e248842cc555dc1ee5f5828cb1d3091a958abd04bcbe58d28d0cf6a2299ed334c65ebcdbfbf812636004219c5a2c

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_19CA6F55DA8A3B0AB12F649B745C90D5

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              471B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              f82d5aca5ed5100b9c82259f5c97bd5f

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              c5fe6c4d597a84244e0330d53887d7865bc8d430

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              8484447947db2ae840af4235ae99c704d8048091b0a71f098d18d755759d7178

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              5a9f1b0cba4a1c6974a1d3929c4cf4d6c2b11041bc61cdeac68f8f5915bc19bf56e589b1a8739c8ff3cd4a6e7912405b35bd7f6dbd5ce66dfd465163d638ef47

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_6F7C58D8F5DC37AD0C4A3BEB81BE1660

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              472B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              6e21d4c7d76f1411934abcec47aa4f6f

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              6b1ca4ee9524085a35c2f4f99d1603b4a31829e9

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              a77a50019d85cd5c6ce6592dfa4b8dcc63399f279e15c06288d13e2dde338e13

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              ad2bdb52d35f926ae93710e5a3c7775787fb1b2c1a2802f502b70954b1b41c5aafb24ef6d98bebce19bad0fe6a8f29b1f169b55fa49bc5592fa196a42d8c2868

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D73CE810F817D372CC78C5824C36E338

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              504B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              7534282617c6278db5ebc9da5b2c673b

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              4d804a0a0e7c4f0ab1791e9c68c58833d7fc7811

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              2904a768575e22df734148cd01c687a5dd23a6d2b378ad3a972f6e7f38fa77cc

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              c45746c38c1e8f0d694a05ef0785070b4f7e3df34a264a3693983d555232bc7b61e78e24187fce8e093448d1724f1226afc3baf262860ad75f076bf57f5929a0

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              a266bb7dcc38a562631361bbf61dd11b

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              3b1efd3a66ea28b16697394703a72ca340a05bd5

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              170B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              da1b689241720117c7b9ed6366b88bc7

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              887b38eb8f778fede56e13d32458b1004d7452c4

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              f9bb0ef2796053d86886d8c7a82e1a884aa789af8d65aa2b5ffb78b309817bf8

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              c9f95e26b3987345927799f799cf929dc1959832d810a8870fc550511a912abd337c063f4b756241e269d2cdaa2cd8d56884329250369527e0db3d48a700cc67

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              192B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              4602e3b04eb19d3a18928ed73742012b

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              f880c58c7b457e374ba1efcde05971dcf9eef550

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              afb54149c32bcc542696e852621dabba3c316b96e8135ac2716c02788c01f5be

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              dbcb46d404b6af79a7b346c8f54fa2ddf8973066d2cb1642b8f7ae610fe3a0e9a0af8fa9c14570c2b15df19e16e46b3b9513e61658c222e7f4864e0dbefed495

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              410B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              06341be29b649e13f2db52338067ab81

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              8599a927137f9953e624bf8c312c05bdfad2ec6f

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              7ff3fa7c8cd420018219645a3fa1f609cb97396c53baf5258b8df41306298eec

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              ff4464802430bd5ebe8d74aba397ddfe8dc5b33afe4e5a2b3c2d9397a9d46f9083d3ec07e2ec3a75da3016c7af3f64a36a87af426ff94c537d1e09adbae32284

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_19CA6F55DA8A3B0AB12F649B745C90D5

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              402B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              1141f15919f34eb4f1cb89ad75fce0ba

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              5138c4cf66012f739a65895ede43e3a99390d922

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              33b805f7adc6a6228c294903e1bc7aefc35ffefcab0ea510945c29c1fc5c98cf

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              ae60c100d783cf6d67d5556dc6798d8fa7642a28f964fba4188f4da5588e6dcf1ea3465df6288c0a7c05e404c67b7ebdb3817e1f2b116941dd90a5fda9921202

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              342B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              6c63f1e0c9c263e57af2bfb88397acbb

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              a20f64f69d59c76f82bd7b7b1aa8d6ab92f1b2ae

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              d3853caeba693f117e26d3b4c7dfe2d88dd499cdb236e85fd61eab9ceb7790d9

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              7add8a9c0045399c6fd62f58f085e41b7294e2205e70194a34dafc1edae1575cc506ef640a7b4fafa7b4a398bfa4977e1730a34bfbc6f0e08d7c72294806d728

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_6F7C58D8F5DC37AD0C4A3BEB81BE1660

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              398B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              e6726162185606f6edeb8d82645298d0

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              15b522d24207c88d5a62838c3687224b2c923f87

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              8fcef1cb790cf920e6dae00268687894f73666ad9e1c6ef58d8e9ee039d8d920

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              ef8bc9574b50c794a6c981666da6b69b2a8b2075ccfde43ae39814bf3fda4366b4c7fe43f87cef472ef65b9881a55bc6c73dfa7313f3c419bb2f71da623fefe5

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D73CE810F817D372CC78C5824C36E338

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              550B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              903f86ce56643163a1e766e7eae903ab

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              f0c278071bb0d9c4b3967b75f811261de08f43d2

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              e2b352a9cf59b771e15d540569c139c2ad45034fe6f8e35ebd8341e50290f46e

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              5567d97f11d88b67f1d5dec344cfabd1d6420eeaad144abcf0f3b5c8b8f5f95383e389371d326d8220a45534bd74db367a999556c2bd6a55ee63c3d6a1378b20

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              242B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              8617f2034d1d7a2a3f14c6ed9bd314de

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              054f8c2c51492b10d062553e53b030288f18ed0d

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              736da06c430fd8b2e5b36eab9550d8f771e1bd8257eeae4051789453ccc899ce

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              e80f701267a5689e8b04b30ae8bc3409a86321648c3d6f0d184ce510eb3637eef3c04cf07c16d04af8ce28f79a6d6862da3193f3f4dabef94f035ff7c2ee42d0

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\download[1].htm

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              1B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              cfcd208495d565ef66e7dff9f98764da

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              32KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              6c9655736a013195ee1d235643fb1e55

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              0110708bf1de7624184975cb589bc407c55c6ca0

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              4aeda69b64efd1b1d223e8f81d756a19836f155a4a27194b5a7f896ddf6cb3df

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              e90ab1cd50deda209a17fcf1d914287af1028ab62850e753fe46a3b837103c1049de97739a5ef486d7813b2cac93effb398680d915681bc24181faf03cab2289

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              15KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              96c542dec016d9ec1ecc4dddfcbaac66

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              6199f7648bb744efa58acf7b96fee85d938389e4

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1014365001\W4KLQf7.exe

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.7MB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              12c766cab30c7a0ef110f0199beda18b

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              efdc8eb63df5aae563c7153c3bd607812debeba4

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1014430001\dwVrTdy.exe

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              591KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              3567cb15156760b2f111512ffdbc1451

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              2fdb1f235fc5a9a32477dab4220ece5fda1539d4

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1014564001\9JTVo50.exe

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              2.5MB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              2a78ce9f3872f5e591d643459cabe476

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              9ac947dfc71a868bc9c2eb2bd78dfb433067682e

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1014611001\WkfyDiO.exe

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              5.6MB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              be95bb9b4d8738550ccf07b8f2309c53

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              c0028d907c46f474b342e343d79d94e1331ea019

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              efd5e8f0852e326a68d4d5cd42d20182ce518fa0b919bb44eeb5450f8830153e

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              317eafe32b8046ea3a1193334362f5caed7e18f47e8ed5b85b6de2e0405869e645ea10483017250ec25f63200cef848267340ae2d7133bbf8dffbc5dffbd666f

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1014617001\3da609c405.exe

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              946KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              5ecf37910c2ee428328d45ac7bccad85

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              495c53d6d0db198a1995b24f5c71e3931f07db05

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              7ff4fa8172bfcf7b0cdfd4b78a04635df24778e2b11a7b867507b6924b52922b

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              512245ab28e456dc6761bd5fe506c0ffd542e0146201be94d9b35593e77957636c4a34d40ddf47882c3c04fdfa275dbcf1d0146e89a0c80d9f6105cfe652dd35

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1014618001\9fa3e049c5.exe

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              c70c219d988415347561167abd815428

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              7672b4f7f1bec1fb679b75d8b056de1e22cf8c86

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              78b460fe07346dc517a238c241ec02d8ae1181f9120fd8d0a88ba6571620fec6

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              6cb316fa378dd96d4e67aa5f3ff60a975ddfc4a655dce32cd927dd059a13d419cb028a75982e3e3d72cdfd97f5fe4f4cc795660955a893ff4700bb8513e494e6

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1014619001\7598ef26ae.exe

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              2.7MB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              1cc25037092edd05264550a21466756e

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              1eef4091618c8fbb8b91da7dc3cf854f9704c136

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              f2da06bf6fa15a77e0f7d76ac9cd227953373927d1b214888c0df76ab723c01d

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              2184a438a27b26aaf56b806ca2507a1e948c80e674141d3c6fc16da4c6572c3bd27951518ffee8344a3cf9f684f80833ab9842cbe3dcb09424c68b650269ce0a

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1014620001\06640124c4.exe

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              1.9MB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              5c682cd7d028b24b4cd0f276f3b50f54

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              e6e8d03bfd05caff9df36150b7daf6c8a8b799d2

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              53957b3c63da49c6bfd73328983d398e81c80c74c5d789d2066ff306769f3277

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              616beed27ce126e88f882911c388d31e2c2ef5bd2c1ed05df06c1f3b0939d42787a9b08cf16a9a331301eed0875b55e4d47d99c5d975ead6e00e2b5e846cdfa5

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1014621001\f23b673027.exe

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              4.2MB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              3a425626cbd40345f5b8dddd6b2b9efa

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              7b50e108e293e54c15dce816552356f424eea97a

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1014622001\cfe580376d.exe

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              710KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              28e568616a7b792cac1726deb77d9039

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              39890a418fb391b823ed5084533e2e24dff021e1

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              9597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              85048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1014623001\835ab2b05d.exe

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              384KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              dfd5f78a711fa92337010ecc028470b4

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              1a389091178f2be8ce486cd860de16263f8e902e

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Cab898.tmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              70KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              1723be06719828dda65ad804298d0431f6aff976

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Tar166F.tmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              181KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              4ea6026cf93ec6338144661bf1202cd1

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              4e9120d95d0a175a67c0b05467c1bcf7

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              12e5e1e20e332613c76405413fa43c6f849e2bed

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              1501439c043fd8b50716cb78d934be2019cc6e19afd3d43e19c350a80e1a1e03

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              022927af2ed93d48ce28933e7e07dbe0ee852d368ca31cd469421d6792686548e047e4a083ccc619a1a6845195099891b8f48f02999d123f1c2bd4550605c6ef

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              1.6MB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              72491c7b87a7c2dd350b727444f13bb4

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              1e9338d56db7ded386878eab7bb44b8934ab1bc7

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              458KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              619f7135621b50fd1900ff24aade1524

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              6c7ea8bbd435163ae3945cbef30ef6b9872a4591

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\main\file.bin

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.3MB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              045b0a3d5be6f10ddf19ae6d92dfdd70

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              0387715b6681d7097d372cd0005b664f76c933c7

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\main\main.bat

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              440B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              3626532127e3066df98e34c3d56a1869

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              5fa7102f02615afde4efd4ed091744e842c63f78

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp59B4.tmp.bat

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              297B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              b258e7150d6cb83d6aaf8d456dff84ae

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              0566790e6b371631419ca8092388006314ad4f27

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              81cd89ee7d6901ec90de7a6e1fbafeecfc09e26530f72da82dca85aac0c5f168

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              749f0d0e802096919025c958720f8dd4ec09b2f445052b0ad5cb9b63fb8d2f514135ee8882d117d2f24416e290ced1f28f32c4172a3a464ac9c4e8a3a82310d6

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              442KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              85430baed3398695717b0263807cf97c

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              fffbee923cea216f50fce5d54219a188a5100f41

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              8.0MB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              a01c5ecd6108350ae23d2cddf0e77c17

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KUZCGMS5PHDPIEZ5SFIM.temp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              7KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              0b6574c1c32008c2dbf8a7f98e17e540

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              25aff18dd10524072810a1d322793ce3df27deb4

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              3fd832f601b20a40e4b0687a1cf22eb5c89d8993218f1ceca0bb7a2ae559af01

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              e2ce650cb59b80a3658a3646f63b11754c7b6b5e5b4d6468e0e167d36c91d81a8d4346d1c35ca21dc5288caa6c7a3a6ba6b554591cb63402baee2b1f3083ccb1

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              9KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              02f9f27cf8fa985a6f8166b1a50ed45e

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              89cbc5b2fa5e5dee5c8acb833509c395806151af

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              9873dbd692a633f5e763b4331bd55b946d61fd8d9db1068a04a968189661dacb

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              02739be76b48fcf83f6cf4e83a30eedb2dd61a1a8bc906402f37a2e6e06c69f2871874d3e58bec16af2aa766e48690f5da5de028848015f37697debe7ac27e11

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\a0a43b30-ae5a-4ec1-a9aa-fc6e1802f45d

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              733B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              b4566db95ffd474758404bcb22234bc8

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              259ac5a5a8b0a39276b609f8839a037dd557c3ea

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              c45f768be2bcc4d17b968cd5ae4d904921bb777caa75ed4bfa6ec452ab51dabd

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              6e82b552b15b8a49b254a90dc6f532a0ad5d8dd387f4bfebe3f6872b2e03f5f5c08a8801a9c73b81efb630e35096a4b449145975d8dd452829d9401da5e7f46a

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              997KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              fe3355639648c417e8307c6d051e3e37

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              116B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              3d33cdc0b3d281e67dd52e14435dd04f

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              479B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              49ddb419d96dceb9069018535fb2e2fc

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              372B

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              8be33af717bb1b67fbd61c3f4b807e9e

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              7cf17656d174d951957ff36810e874a134dd49e0

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              11.8MB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              33bf7b0439480effb9fb212efce87b13

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              cee50f2745edc6dc291887b6075ca64d716f495a

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              688bed3676d2104e7f17ae1cd2c59404

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              937326fead5fd401f6cca9118bd9ade9

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              4526a57d4ae14ed29b37632c72aef3c408189d91

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              6KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              1bff913d8ad561b5520b55a9d4dede03

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              f326e2142942d7d86fab9865ef08af86ec3e4613

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              33c519f54f78439a5d15ba30ca100f745ad2a7ad8885267e58ed5f245469a00d

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              c1cf8c8af0c779d68f3bcb3284a2b5fdf5fabc8a1c1817be11e22a22904608b558c2082d0b7b15eb1e9bb89ec708408b71fa9a3cccc926fb9d7186f14230fa91

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              7KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              0a8f3e2992b07c8e40f57961d2798e32

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              9ec64cca8787580d9bff65a40495caa29494cdb5

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              76995561c9cf2246b46b2e789d88313f37fed00e4e924d447ffba7828759bc41

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              feb647d40f1e0b4fc7a9c669d4929699187915081283942b29b62b32505bb7f42292767133ffefd5ef281458b061e4ebe1e4cd8a1ada1f5af658f8e68ef67fc9

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              6KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              98d6e628b3d871ec0d3a2f88ef5e3c7c

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              141459adb2003c9201d9c4d85b2868ba7399f9db

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              11f804e20c9303fa07874950fe5f2e2e21eae0e3490d5cbb7e9b68507ef0ddfc

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              ab0a2dcf9ca2dd64ee14101f64055bfde6b4cac180618135e50420122135a22e384464a973201ce123589a7c88ef2e7b523c8cfcfb06fca18db9e60b193699b4

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs.js

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              6KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              a0869ee01f4828249db0204ba37aab96

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              a457d872ddec0b18179e7ddbf022477aa6ebc43e

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              e11ee2f8f3888b6fcd220baf92613c8d4e68ec7465fa748548826155a9444b2b

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              1495af7f7549e3013559d9bd219887320cf216f49c850e8e3b2d55db394f3bd30ca45c8c9d1c0e0cf0e0e33488758766f583023748b4f3f627995ae90b1c4f9d

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              7285aa13c81af1080e71666e03f1df4b

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              a84bf5a29e2a464566ddc7396ab17b5c1f097773

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              93c548e820ba617a9b42c69e658c4bde6ec305e119ac8c16e52eea651943c186

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              352ecc4d48e8f7802cf4da3a9bf86f90e7a88fecba1c6575657dd13803e036dac6a54e933b1bc0c540cb60c19c4fcaa5c5e73abf68c5bf1a8ad813de21e1e4d0

                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              184KB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              3dc733f51b6c47c0e57ae7035b9abacf

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              d4c28a6f9d4bae9e297440a46726a2cb3e2504ba

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              aafa700fb884f14becaf86a0eb9df79dfa15885b2ebe11cabe5f48a3a5d9e0e1

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              e02670f6fa626a21ad150e0e0e589ba9f1f7a1fb921dc28f4117dc0a30a337b9c9b165dd0a30da864fe4dbdf130372e846648792a0bcf5aad4e8d28118101067

                                                                                                                                                                                                                                                                                                                            • \Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                              65ccd6ecb99899083d43f7c24eb8f869

                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                              27037a9470cc5ed177c0b6688495f3a51996a023

                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                              aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                              533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

                                                                                                                                                                                                                                                                                                                            • memory/544-1059-0x000000013FFA0000-0x0000000140430000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              4.6MB

                                                                                                                                                                                                                                                                                                                            • memory/544-1061-0x000000013FFA0000-0x0000000140430000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              4.6MB

                                                                                                                                                                                                                                                                                                                            • memory/544-1032-0x000000013FFA0000-0x0000000140430000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              4.6MB

                                                                                                                                                                                                                                                                                                                            • memory/544-1031-0x000000013FFA0000-0x0000000140430000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              4.6MB

                                                                                                                                                                                                                                                                                                                            • memory/852-659-0x0000000002790000-0x0000000002798000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              32KB

                                                                                                                                                                                                                                                                                                                            • memory/852-658-0x000000001B550000-0x000000001B832000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              2.9MB

                                                                                                                                                                                                                                                                                                                            • memory/956-257-0x00000000009F0000-0x0000000001076000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              6.5MB

                                                                                                                                                                                                                                                                                                                            • memory/956-249-0x00000000009F0000-0x0000000001076000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              6.5MB

                                                                                                                                                                                                                                                                                                                            • memory/1056-530-0x00000000005A0000-0x00000000005F7000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              348KB

                                                                                                                                                                                                                                                                                                                            • memory/1920-278-0x00000000013D0000-0x0000000001684000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              2.7MB

                                                                                                                                                                                                                                                                                                                            • memory/1920-280-0x00000000013D0000-0x0000000001684000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              2.7MB

                                                                                                                                                                                                                                                                                                                            • memory/1920-626-0x00000000013D0000-0x0000000001684000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              2.7MB

                                                                                                                                                                                                                                                                                                                            • memory/1920-279-0x00000000013D0000-0x0000000001684000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              2.7MB

                                                                                                                                                                                                                                                                                                                            • memory/1992-652-0x000000013FA20000-0x000000013FEB0000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              4.6MB

                                                                                                                                                                                                                                                                                                                            • memory/1992-644-0x000000013FA20000-0x000000013FEB0000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              4.6MB

                                                                                                                                                                                                                                                                                                                            • memory/2132-916-0x0000000000400000-0x0000000000C85000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              8.5MB

                                                                                                                                                                                                                                                                                                                            • memory/2132-1021-0x0000000000400000-0x0000000000C85000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              8.5MB

                                                                                                                                                                                                                                                                                                                            • memory/2132-944-0x0000000000400000-0x0000000000C85000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              8.5MB

                                                                                                                                                                                                                                                                                                                            • memory/2132-370-0x0000000000400000-0x0000000000C85000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              8.5MB

                                                                                                                                                                                                                                                                                                                            • memory/2132-677-0x0000000010000000-0x000000001001C000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              112KB

                                                                                                                                                                                                                                                                                                                            • memory/2132-612-0x0000000000400000-0x0000000000C85000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              8.5MB

                                                                                                                                                                                                                                                                                                                            • memory/2132-611-0x0000000000400000-0x0000000000C85000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              8.5MB

                                                                                                                                                                                                                                                                                                                            • memory/2372-2-0x00000000010F1000-0x0000000001159000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              416KB

                                                                                                                                                                                                                                                                                                                            • memory/2372-15-0x00000000010F0000-0x0000000001407000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2372-4-0x00000000010F0000-0x0000000001407000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2372-17-0x00000000010F1000-0x0000000001159000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              416KB

                                                                                                                                                                                                                                                                                                                            • memory/2372-3-0x00000000010F0000-0x0000000001407000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2372-0-0x00000000010F0000-0x0000000001407000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2372-1-0x0000000077650000-0x0000000077652000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              8KB

                                                                                                                                                                                                                                                                                                                            • memory/2408-1040-0x0000000140000000-0x0000000140770000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              7.4MB

                                                                                                                                                                                                                                                                                                                            • memory/2408-1037-0x0000000140000000-0x0000000140770000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              7.4MB

                                                                                                                                                                                                                                                                                                                            • memory/2408-1035-0x0000000140000000-0x0000000140770000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              7.4MB

                                                                                                                                                                                                                                                                                                                            • memory/2408-1036-0x0000000140000000-0x0000000140770000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              7.4MB

                                                                                                                                                                                                                                                                                                                            • memory/2408-1034-0x0000000140000000-0x0000000140770000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              7.4MB

                                                                                                                                                                                                                                                                                                                            • memory/2408-1038-0x0000000140000000-0x0000000140770000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              7.4MB

                                                                                                                                                                                                                                                                                                                            • memory/2408-1039-0x0000000140000000-0x0000000140770000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              7.4MB

                                                                                                                                                                                                                                                                                                                            • memory/2408-1041-0x0000000140000000-0x0000000140770000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              7.4MB

                                                                                                                                                                                                                                                                                                                            • memory/2408-1052-0x0000000000140000-0x0000000000160000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              128KB

                                                                                                                                                                                                                                                                                                                            • memory/2408-1053-0x0000000140000000-0x0000000140770000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              7.4MB

                                                                                                                                                                                                                                                                                                                            • memory/2408-1051-0x0000000140000000-0x0000000140770000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              7.4MB

                                                                                                                                                                                                                                                                                                                            • memory/2408-1054-0x0000000140000000-0x0000000140770000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              7.4MB

                                                                                                                                                                                                                                                                                                                            • memory/2568-250-0x0000000000250000-0x00000000002A7000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              348KB

                                                                                                                                                                                                                                                                                                                            • memory/2728-247-0x0000000006610000-0x0000000006C96000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              6.5MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-276-0x0000000006610000-0x00000000068C4000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              2.7MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-920-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-96-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-424-0x0000000006610000-0x00000000068C4000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              2.7MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-25-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-24-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-23-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-22-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-21-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-19-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-18-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-16-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-173-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-556-0x0000000006610000-0x0000000006E95000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              8.5MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-1009-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-369-0x0000000006610000-0x0000000006E95000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              8.5MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-1022-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-1028-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-367-0x0000000006610000-0x0000000006E95000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              8.5MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-718-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-294-0x0000000006610000-0x0000000006C96000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              6.5MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-210-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-248-0x0000000006610000-0x0000000006C96000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              6.5MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-496-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-289-0x0000000006610000-0x0000000006C96000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              6.5MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-258-0x0000000000F80000-0x0000000001297000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.1MB

                                                                                                                                                                                                                                                                                                                            • memory/2728-277-0x0000000006610000-0x00000000068C4000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              2.7MB

                                                                                                                                                                                                                                                                                                                            • memory/2776-188-0x0000000000270000-0x0000000000808000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              5.6MB

                                                                                                                                                                                                                                                                                                                            • memory/2936-290-0x0000000010000000-0x0000000010731000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              7.2MB

                                                                                                                                                                                                                                                                                                                            • memory/2936-190-0x0000000000270000-0x00000000002E9000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              484KB

                                                                                                                                                                                                                                                                                                                            • memory/2936-189-0x0000000000270000-0x00000000002E9000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              484KB

                                                                                                                                                                                                                                                                                                                            • memory/2936-123-0x0000000000400000-0x00000000007BD000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              3.7MB

                                                                                                                                                                                                                                                                                                                            • memory/3560-642-0x000000013FA20000-0x000000013FEB0000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              4.6MB

                                                                                                                                                                                                                                                                                                                            • memory/3860-1044-0x000000013FFA0000-0x0000000140430000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              4.6MB

                                                                                                                                                                                                                                                                                                                            • memory/3860-1033-0x000000013FFA0000-0x0000000140430000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              4.6MB

                                                                                                                                                                                                                                                                                                                            • memory/4080-918-0x0000000000400000-0x000000000064B000-memory.dmp

                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                              2.3MB