nanocore | 9e1751025908631420ddd8257775bedc2d57becd923a73e488e6b45a7fa69e05

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2025, 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
Size

392KB
MD5

3a9720029c0f5bb91544409a999c9d09
SHA1

0c2e6bcd2117b30496df63bc36c7955a6bfc6635
SHA256

9e1751025908631420ddd8257775bedc2d57becd923a73e488e6b45a7fa69e05
SHA512

8d0af9fa03271b7e2e0c07ad448bebc49351791de44f4d7d3d151bb796f186f190b9823d865dd7c5947e60e2007efc3990b5e4dd965f6bbbe1048a53e8241674
SSDEEP

6144:31+Q6D6DuaHqL6K5bTQpgwjCv9EekXJjfnrCevDYUauHFptA8uDYMrmT8:3/6OaamerCmfZfnme74uHF3A8uDd

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

146.255.79.172:6789

omada12.mooo.com:6789

Mutex

f73fa5dc-696f-4685-a6af-b9bb78345ab2

Attributes

activate_away_mode
true
backup_connection_host
omada12.mooo.com
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-02-16T23:00:42.179393136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
6789
default_group
ANGL
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f73fa5dc-696f-4685-a6af-b9bb78345ab2
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
146.255.79.172
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe

Executes dropped EXE 2 IoCs

pid	Process
4800	tmp.exe
3912	svhost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tmp.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
3252	tasklist.exe
4436	tasklist.exe
8740	tasklist.exe
9304	tasklist.exe
10704	tasklist.exe
11168	tasklist.exe
6036	tasklist.exe
4720	tasklist.exe
11612	tasklist.exe
7772	tasklist.exe
7892	tasklist.exe
9900	tasklist.exe
9224	tasklist.exe
2160	tasklist.exe
7964	tasklist.exe
7124	tasklist.exe
8508	tasklist.exe
9532	tasklist.exe
10012	tasklist.exe
5548	tasklist.exe
6700	tasklist.exe
11968	tasklist.exe
6364	tasklist.exe
9304	tasklist.exe
5284	tasklist.exe
11728	tasklist.exe
11376	tasklist.exe
12204	tasklist.exe
5712	tasklist.exe
6516	tasklist.exe
8056	tasklist.exe
10024	tasklist.exe
9304	tasklist.exe
6392	tasklist.exe
1416	tasklist.exe
11848	tasklist.exe
4368	tasklist.exe
8068	tasklist.exe
11452	tasklist.exe
5696	tasklist.exe
8928	tasklist.exe
10492	tasklist.exe
11000	tasklist.exe
12096	tasklist.exe
5348	tasklist.exe
4600	tasklist.exe
4808	tasklist.exe
6824	tasklist.exe
7512	tasklist.exe
7976	tasklist.exe
7756	tasklist.exe
2664	tasklist.exe
10328	tasklist.exe
4108	tasklist.exe
5704	tasklist.exe
7184	tasklist.exe
7300	tasklist.exe
10336	tasklist.exe
10824	tasklist.exe
452	tasklist.exe
5836	tasklist.exe
664	tasklist.exe
7852	tasklist.exe
8276	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2612 set thread context of 3912	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	100

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
File created	C:\Windows\assembly\Desktop.ini	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2720	timeout.exe
632	timeout.exe
3796	timeout.exe
3804	timeout.exe
10228	timeout.exe
4100	timeout.exe
5912	timeout.exe
6844	timeout.exe
10320	timeout.exe
11600	timeout.exe
11952	timeout.exe
9884	timeout.exe
10236	timeout.exe
8884	timeout.exe
11324	timeout.exe
11628	timeout.exe
11200	timeout.exe
2812	timeout.exe
5540	timeout.exe
7996	timeout.exe
10644	timeout.exe
10492	timeout.exe
11452	timeout.exe
10444	timeout.exe
692	timeout.exe
5564	timeout.exe
8160	timeout.exe
7988	timeout.exe
7688	timeout.exe
8372	timeout.exe
9572	timeout.exe
12276	timeout.exe
12096	timeout.exe
7284	timeout.exe
8268	timeout.exe
9644	timeout.exe
10952	timeout.exe
5032	timeout.exe
8380	timeout.exe
8536	timeout.exe
8740	timeout.exe
11356	timeout.exe
6892	timeout.exe
9564	timeout.exe
9092	timeout.exe
628	timeout.exe
3512	timeout.exe
184	timeout.exe
5372	timeout.exe
7612	timeout.exe
8172	timeout.exe
2596	timeout.exe
1596	timeout.exe
4628	timeout.exe
11440	timeout.exe
11828	timeout.exe
6572	timeout.exe
6760	timeout.exe
7628	timeout.exe
3840	timeout.exe
9804	timeout.exe
11152	timeout.exe
11232	timeout.exe
11860	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\FolderN\tygfdfxxz:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe
2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
4800	tmp.exe
4800	tmp.exe
4800	tmp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4800	tmp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
Token: SeDebugPrivilege	4800	tmp.exe
Token: SeDebugPrivilege	4600	tasklist.exe
Token: SeDebugPrivilege	2340	tasklist.exe
Token: SeDebugPrivilege	3620	tasklist.exe
Token: SeDebugPrivilege	592	tasklist.exe
Token: SeDebugPrivilege	5100	tasklist.exe
Token: SeDebugPrivilege	8	tasklist.exe
Token: SeDebugPrivilege	664	tasklist.exe
Token: SeDebugPrivilege	4556	tasklist.exe
Token: SeDebugPrivilege	4404	tasklist.exe
Token: SeDebugPrivilege	1644	tasklist.exe
Token: SeDebugPrivilege	4108	tasklist.exe
Token: SeDebugPrivilege	4720	tasklist.exe
Token: SeDebugPrivilege	4808	tasklist.exe
Token: SeDebugPrivilege	2812	tasklist.exe
Token: SeDebugPrivilege	3252	tasklist.exe
Token: SeDebugPrivilege	1548	tasklist.exe
Token: SeDebugPrivilege	4556	tasklist.exe
Token: SeDebugPrivilege	184	tasklist.exe
Token: SeDebugPrivilege	3388	tasklist.exe
Token: SeDebugPrivilege	368	tasklist.exe
Token: SeDebugPrivilege	3376	tasklist.exe
Token: SeDebugPrivilege	4436	tasklist.exe
Token: SeDebugPrivilege	4080	tasklist.exe
Token: SeDebugPrivilege	1952	tasklist.exe
Token: SeDebugPrivilege	4428	tasklist.exe
Token: SeDebugPrivilege	5520	tasklist.exe
Token: SeDebugPrivilege	5712	tasklist.exe
Token: SeDebugPrivilege	5932	tasklist.exe
Token: SeDebugPrivilege	5280	tasklist.exe
Token: SeDebugPrivilege	5696	tasklist.exe
Token: SeDebugPrivilege	5952	tasklist.exe
Token: SeDebugPrivilege	3868	tasklist.exe
Token: SeDebugPrivilege	5580	tasklist.exe
Token: SeDebugPrivilege	5284	tasklist.exe
Token: SeDebugPrivilege	5752	tasklist.exe
Token: SeDebugPrivilege	3816	tasklist.exe
Token: SeDebugPrivilege	5376	tasklist.exe
Token: SeDebugPrivilege	6248	tasklist.exe
Token: SeDebugPrivilege	6368	tasklist.exe
Token: SeDebugPrivilege	6472	tasklist.exe
Token: SeDebugPrivilege	6588	tasklist.exe
Token: SeDebugPrivilege	6704	tasklist.exe
Token: SeDebugPrivilege	6820	tasklist.exe
Token: SeDebugPrivilege	7040	tasklist.exe
Token: SeDebugPrivilege	5360	tasklist.exe
Token: SeDebugPrivilege	6400	tasklist.exe
Token: SeDebugPrivilege	6824	tasklist.exe
Token: SeDebugPrivilege	5704	tasklist.exe
Token: SeDebugPrivilege	6364	tasklist.exe
Token: SeDebugPrivilege	7116	tasklist.exe
Token: SeDebugPrivilege	7124	tasklist.exe
Token: SeDebugPrivilege	6516	tasklist.exe
Token: SeDebugPrivilege	6224	tasklist.exe
Token: SeDebugPrivilege	6844	tasklist.exe
Token: SeDebugPrivilege	6940	tasklist.exe
Token: SeDebugPrivilege	7184	tasklist.exe
Token: SeDebugPrivilege	7300	tasklist.exe
Token: SeDebugPrivilege	7408	tasklist.exe
Token: SeDebugPrivilege	7512	tasklist.exe
Token: SeDebugPrivilege	7628	tasklist.exe
Token: SeDebugPrivilege	7740	tasklist.exe
Token: SeDebugPrivilege	7852	tasklist.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 3092	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	96
PID 2612 wrote to memory of 3092	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	96
PID 2612 wrote to memory of 3092	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	96
PID 3092 wrote to memory of 936	3092	cmd.exe	98
PID 3092 wrote to memory of 936	3092	cmd.exe	98
PID 3092 wrote to memory of 936	3092	cmd.exe	98
PID 2612 wrote to memory of 4800	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	99
PID 2612 wrote to memory of 4800	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	99
PID 2612 wrote to memory of 4800	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	99
PID 2612 wrote to memory of 3912	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	100
PID 2612 wrote to memory of 3912	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	100
PID 2612 wrote to memory of 3912	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	100
PID 2612 wrote to memory of 3912	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	100
PID 2612 wrote to memory of 3912	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	100
PID 2612 wrote to memory of 3912	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	100
PID 2612 wrote to memory of 3912	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	100
PID 2612 wrote to memory of 3912	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	100
PID 2612 wrote to memory of 516	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	101
PID 2612 wrote to memory of 516	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	101
PID 2612 wrote to memory of 516	2612	JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe	101
PID 516 wrote to memory of 628	516	cmd.exe	103
PID 516 wrote to memory of 628	516	cmd.exe	103
PID 516 wrote to memory of 628	516	cmd.exe	103
PID 516 wrote to memory of 4600	516	cmd.exe	104
PID 516 wrote to memory of 4600	516	cmd.exe	104
PID 516 wrote to memory of 4600	516	cmd.exe	104
PID 516 wrote to memory of 884	516	cmd.exe	105
PID 516 wrote to memory of 884	516	cmd.exe	105
PID 516 wrote to memory of 884	516	cmd.exe	105
PID 516 wrote to memory of 3856	516	cmd.exe	106
PID 516 wrote to memory of 3856	516	cmd.exe	106
PID 516 wrote to memory of 3856	516	cmd.exe	106
PID 3856 wrote to memory of 1596	3856	cmd.exe	108
PID 3856 wrote to memory of 1596	3856	cmd.exe	108
PID 3856 wrote to memory of 1596	3856	cmd.exe	108
PID 3856 wrote to memory of 2340	3856	cmd.exe	109
PID 3856 wrote to memory of 2340	3856	cmd.exe	109
PID 3856 wrote to memory of 2340	3856	cmd.exe	109
PID 3856 wrote to memory of 1884	3856	cmd.exe	110
PID 3856 wrote to memory of 1884	3856	cmd.exe	110
PID 3856 wrote to memory of 1884	3856	cmd.exe	110
PID 3856 wrote to memory of 2848	3856	cmd.exe	111
PID 3856 wrote to memory of 2848	3856	cmd.exe	111
PID 3856 wrote to memory of 2848	3856	cmd.exe	111
PID 2848 wrote to memory of 2720	2848	cmd.exe	113
PID 2848 wrote to memory of 2720	2848	cmd.exe	113
PID 2848 wrote to memory of 2720	2848	cmd.exe	113
PID 2848 wrote to memory of 3620	2848	cmd.exe	114
PID 2848 wrote to memory of 3620	2848	cmd.exe	114
PID 2848 wrote to memory of 3620	2848	cmd.exe	114
PID 2848 wrote to memory of 3124	2848	cmd.exe	115
PID 2848 wrote to memory of 3124	2848	cmd.exe	115
PID 2848 wrote to memory of 3124	2848	cmd.exe	115
PID 2848 wrote to memory of 2940	2848	cmd.exe	116
PID 2848 wrote to memory of 2940	2848	cmd.exe	116
PID 2848 wrote to memory of 2940	2848	cmd.exe	116
PID 2940 wrote to memory of 3512	2940	cmd.exe	118
PID 2940 wrote to memory of 3512	2940	cmd.exe	118
PID 2940 wrote to memory of 3512	2940	cmd.exe	118
PID 2940 wrote to memory of 592	2940	cmd.exe	119
PID 2940 wrote to memory of 592	2940	cmd.exe	119
PID 2940 wrote to memory of 592	2940	cmd.exe	119
PID 2940 wrote to memory of 1552	2940	cmd.exe	120
PID 2940 wrote to memory of 1552	2940	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a9720029c0f5bb91544409a999c9d09.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\tygfdfxxz.lnk" /f
    3⤵
    PID:936
- C:\Users\Admin\AppData\Roaming\tmp.exe
  "C:\Users\Admin\AppData\Roaming\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  PID:3912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa208f46f8,0x7ffa208f4708,0x7ffa208f4718
      4⤵
      PID:2028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,11983764496755279815,4188503827885875229,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
      4⤵
      PID:2612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,11983764496755279815,4188503827885875229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
      4⤵
      PID:1684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,11983764496755279815,4188503827885875229,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
      4⤵
      PID:1800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11983764496755279815,4188503827885875229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
      4⤵
      PID:5140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11983764496755279815,4188503827885875229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:5172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11983764496755279815,4188503827885875229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
      4⤵
      PID:5892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11983764496755279815,4188503827885875229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
      4⤵
      PID:6068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11983764496755279815,4188503827885875229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
      4⤵
      PID:5744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,11983764496755279815,4188503827885875229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
      4⤵
      PID:7004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,11983764496755279815,4188503827885875229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
      4⤵
      PID:6456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11983764496755279815,4188503827885875229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
      4⤵
      PID:6488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11983764496755279815,4188503827885875229,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
      4⤵
      PID:6512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11983764496755279815,4188503827885875229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
      4⤵
      PID:6424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,11983764496755279815,4188503827885875229,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
      4⤵
      PID:6396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:5352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa208f46f8,0x7ffa208f4708,0x7ffa208f4718
      4⤵
      PID:5328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6006599339700
    3⤵
    - Delays execution with timeout.exe
    PID:628
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /nh /fi "imagename eq .exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
- - C:\Windows\SysWOW64\find.exe
    find /i ".exe"
    3⤵
    PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6006599339700
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /nh /fi "imagename eq .exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2340
  - - C:\Windows\SysWOW64\find.exe
      find /i ".exe"
      4⤵
      PID:1884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        5⤵
        Delays execution with timeout.exe
        
        PID:2720
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
    - - C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        5⤵
        
        PID:3124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        6⤵
        Delays execution with timeout.exe
        
        PID:3512
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
      - C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        6⤵
        
        PID:1552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        6⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        7⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        7⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        7⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        8⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:8
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        8⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        9⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        9⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        9⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        10⤵
        Delays execution with timeout.exe
        
        PID:692
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        10⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        11⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        11⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        11⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        12⤵
        Delays execution with timeout.exe
        
        PID:184
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        12⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        12⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        13⤵
        Delays execution with timeout.exe
        
        PID:632
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        13⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4108
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        13⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        13⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        14⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        14⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        14⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        14⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        15⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        15⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        15⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        15⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        16⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        16⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        16⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        17⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        17⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        17⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        17⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        18⤵
        Delays execution with timeout.exe
        
        PID:3796
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        18⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        18⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        18⤵
        
        PID:852
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        19⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        19⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        19⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        20⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:184
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        20⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        20⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        21⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        21⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        21⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        22⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        22⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        22⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        22⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        23⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        23⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        24⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        24⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        24⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        24⤵
        
        PID:664
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        25⤵
        Delays execution with timeout.exe
        
        PID:5032
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        25⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        26⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        26⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        26⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        27⤵
        Delays execution with timeout.exe
        
        PID:2812
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        27⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5520
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        28⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        28⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        29⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        29⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5712
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        29⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        29⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        30⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5932
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        30⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        30⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        31⤵
        
        PID:552
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5280
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        31⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        31⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        32⤵
        Delays execution with timeout.exe
        
        PID:5564
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        32⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5696
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        32⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        32⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        33⤵
        Delays execution with timeout.exe
        
        PID:5912
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        33⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5952
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        33⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        33⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        34⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        34⤵
        
        PID:5364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        35⤵
        Delays execution with timeout.exe
        
        PID:5540
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5580
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        35⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        35⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        36⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        36⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5284
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        36⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        36⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        37⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        37⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5752
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        37⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        37⤵
        
        PID:5396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        38⤵
        Delays execution with timeout.exe
        
        PID:3804
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3816
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        38⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        39⤵
        Delays execution with timeout.exe
        
        PID:5372
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        39⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5376
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        39⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        39⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        40⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        40⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6248
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        40⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        40⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        41⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        41⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6368
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        41⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        41⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        42⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6472
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        42⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        42⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        43⤵
        Delays execution with timeout.exe
        
        PID:6572
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        43⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6588
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        43⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        43⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        44⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        44⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6704
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        44⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        44⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        45⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        45⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6820
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        45⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        45⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        46⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        46⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7040
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        46⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        46⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        47⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        47⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5360
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        47⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        47⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        48⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        48⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6400
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:6384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        48⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        49⤵
        Delays execution with timeout.exe
        
        PID:6760
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        49⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6824
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        49⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        49⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        50⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        50⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5704
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        50⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        50⤵
        
        PID:5252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        51⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        51⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6364
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        51⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        51⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:6844
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        52⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7116
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        52⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        52⤵
        
        PID:5744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        53⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6844
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        53⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:7124
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        53⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        53⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        54⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        54⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6516
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        54⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:7128
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        55⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        55⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6224
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        55⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        55⤵
        
        PID:5756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        56⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        56⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6844
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        56⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        56⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        57⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        57⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6940
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:6488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        57⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        58⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        58⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:7184
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        58⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:7228
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        59⤵
        Delays execution with timeout.exe
        
        PID:7284
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        59⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:7300
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        59⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        59⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        60⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        60⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7408
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        60⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        60⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        61⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        61⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:7512
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        61⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        61⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        62⤵
        Delays execution with timeout.exe
        
        PID:7612
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        62⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7628
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        62⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        62⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        63⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        63⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7740
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        63⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        63⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        64⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        64⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:7852
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        64⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:7896
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        65⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        65⤵
        Enumerates processes with tasklist
        
        PID:7964
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        65⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        65⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        66⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        66⤵
        Enumerates processes with tasklist
        
        PID:8068
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:8076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        66⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        67⤵
        Delays execution with timeout.exe
        
        PID:8160
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        67⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        67⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        67⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        68⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        68⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        68⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        68⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        69⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        69⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        69⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:7524
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        70⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        70⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        70⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        70⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        71⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        71⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        71⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        71⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        72⤵
        Delays execution with timeout.exe
        
        PID:7988
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        72⤵
        Enumerates processes with tasklist
        
        PID:8056
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        72⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        72⤵
        
        PID:8080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        73⤵
        Delays execution with timeout.exe
        
        PID:8172
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        73⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:8188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        73⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        74⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        74⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:7448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        74⤵
        
        PID:7532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        75⤵
        Delays execution with timeout.exe
        
        PID:7628
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        75⤵
        Enumerates processes with tasklist
        
        PID:7772
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        75⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        75⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        76⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        76⤵
        Enumerates processes with tasklist
        
        PID:7976
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        76⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        76⤵
        
        PID:8072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        77⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        77⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        77⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        78⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        78⤵
        Enumerates processes with tasklist
        
        PID:7756
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        78⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        78⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        79⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        79⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        79⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        79⤵
        
        PID:7340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        80⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        80⤵
        Enumerates processes with tasklist
        
        PID:7892
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        80⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        80⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        81⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        81⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        81⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        81⤵
        
        PID:8056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        82⤵
        Delays execution with timeout.exe
        
        PID:7688
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        82⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        82⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        82⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        83⤵
        Delays execution with timeout.exe
        
        PID:7996
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        83⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        83⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        83⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        84⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        84⤵
        Enumerates processes with tasklist
        
        PID:8276
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        84⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        84⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        85⤵
        Delays execution with timeout.exe
        
        PID:8372
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        85⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        85⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        85⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        86⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        86⤵
        Enumerates processes with tasklist
        
        PID:8508
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        86⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        86⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        87⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        87⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        87⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        87⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        88⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        88⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        88⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        88⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        89⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        89⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:8880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        89⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        90⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        90⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        90⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        90⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        91⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:9108
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        91⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        91⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        92⤵
        Delays execution with timeout.exe
        
        PID:2596
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        92⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        92⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        92⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        93⤵
        Delays execution with timeout.exe
        
        PID:8380
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        93⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:8392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        93⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        94⤵
        Delays execution with timeout.exe
        
        PID:8536
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        94⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        94⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        94⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        95⤵
        Delays execution with timeout.exe
        
        PID:8740
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        95⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        95⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        95⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        96⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        96⤵
        Enumerates processes with tasklist
        
        PID:8928
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        96⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        96⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        97⤵
        Delays execution with timeout.exe
        
        PID:9092
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        97⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        97⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        97⤵
        
        PID:3036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        98⤵
        Delays execution with timeout.exe
        
        PID:8268
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        98⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        98⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        98⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        99⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        99⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        99⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        99⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        100⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        100⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        100⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        100⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        101⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        101⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        101⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        101⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        102⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        102⤵
        Enumerates processes with tasklist
        
        PID:8740
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        102⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        102⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:9128
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        103⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        103⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        103⤵
        
        PID:9144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        104⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        104⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        104⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        104⤵
        
        PID:8900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        105⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        105⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:6956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        105⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        106⤵
        Delays execution with timeout.exe
        
        PID:3840
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        106⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        106⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        106⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        107⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        107⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        107⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:9288
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        108⤵
        Enumerates processes with tasklist
        
        PID:9304
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        108⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        108⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        109⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        109⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        109⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        109⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        110⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        110⤵
        Enumerates processes with tasklist
        
        PID:9532
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        110⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        110⤵
        
        PID:9588
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        111⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:9644
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        111⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        111⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        111⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        112⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        112⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        112⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        112⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        113⤵
        Delays execution with timeout.exe
        
        PID:9884
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        113⤵
        Enumerates processes with tasklist
        
        PID:9900
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        113⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        113⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        114⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        114⤵
        Enumerates processes with tasklist
        
        PID:10012
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:10020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        114⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        115⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        115⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        115⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        115⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        116⤵
        Delays execution with timeout.exe
        
        PID:10228
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        116⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        116⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        116⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        117⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        117⤵
        Enumerates processes with tasklist
        
        PID:9304
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        117⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        117⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        118⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        118⤵
        Enumerates processes with tasklist
        
        PID:5548
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        118⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        118⤵
        
        PID:9556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        119⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        119⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        119⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        119⤵
        
        PID:9780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        120⤵
        Delays execution with timeout.exe
        
        PID:9804
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        120⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        120⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        120⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        121⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        121⤵
        Enumerates processes with tasklist
        
        PID:10024
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        121⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        121⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        122⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        122⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        122⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        122⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        123⤵
        
        PID:9412
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        123⤵
        Enumerates processes with tasklist
        
        PID:9304
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        123⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        123⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        124⤵
        Delays execution with timeout.exe
        
        PID:9572
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        124⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        124⤵
        
        PID:9676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        125⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        125⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        125⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:10020
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        126⤵
        Delays execution with timeout.exe
        
        PID:10236
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        126⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        126⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        126⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        127⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        127⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        127⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        127⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:9920
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        128⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        128⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        128⤵
        
        PID:9940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        129⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        129⤵
        Enumerates processes with tasklist
        
        PID:9224
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        129⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        129⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        130⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        130⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        130⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        130⤵
        
        PID:8408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        131⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        131⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        131⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        131⤵
        
        PID:6452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        132⤵
        Delays execution with timeout.exe
        
        PID:1596
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        132⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        132⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        133⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        133⤵
        Enumerates processes with tasklist
        
        PID:6700
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        133⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        133⤵
        
        PID:9236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        134⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        134⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        134⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        134⤵
        
        PID:10028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        135⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        135⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        135⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        135⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        136⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        136⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:9916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        136⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        137⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        137⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        137⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        137⤵
        
        PID:10264
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        138⤵
        Delays execution with timeout.exe
        
        PID:10320
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        138⤵
        Enumerates processes with tasklist
        
        PID:10336
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        138⤵
        
        PID:10344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        138⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        139⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        139⤵
        
        PID:10456
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:10464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        139⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        140⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        140⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        140⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        140⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        141⤵
        
        PID:10688
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        141⤵
        Enumerates processes with tasklist
        
        PID:10704
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        141⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        141⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        142⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        142⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:10824
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        142⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        142⤵
        
        PID:10872
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        143⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        143⤵
        
        PID:10944
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        143⤵
        
        PID:10952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        143⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        144⤵
        
        PID:11040
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        144⤵
        
        PID:11052
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        144⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        144⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        145⤵
        Delays execution with timeout.exe
        
        PID:11152
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        145⤵
        Enumerates processes with tasklist
        
        PID:11168
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        145⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:11220
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:10260
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        146⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        146⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        146⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        147⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        147⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        147⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:10464
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        148⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        148⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        148⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        148⤵
        
        PID:10744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        149⤵
        
        PID:10860
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        149⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        149⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:10936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        150⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        150⤵
        
        PID:11040
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:11076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        150⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        151⤵
        Delays execution with timeout.exe
        
        PID:11200
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        151⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        151⤵
        
        PID:10256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        151⤵
        
        PID:10244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        152⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        152⤵
        Delays execution with timeout.exe
        
        PID:10444
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        152⤵
        Enumerates processes with tasklist
        
        PID:10492
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        152⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        152⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        153⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        153⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        153⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        153⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:10976
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        154⤵
        Enumerates processes with tasklist
        
        PID:11000
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        154⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        154⤵
        
        PID:11056
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        155⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        155⤵
        Enumerates processes with tasklist
        
        PID:452
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        155⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        155⤵
        
        PID:264
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        156⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        156⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        156⤵
        
        PID:10476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        156⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        157⤵
        Delays execution with timeout.exe
        
        PID:10644
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        157⤵
        Enumerates processes with tasklist
        
        PID:2664
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        157⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        157⤵
        
        PID:11088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        158⤵
        
        PID:11000
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        158⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4628
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        158⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        158⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        158⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        159⤵
        Delays execution with timeout.exe
        
        PID:10492
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        159⤵
        Enumerates processes with tasklist
        
        PID:6392
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        159⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        159⤵
        
        PID:2128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        160⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        160⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        160⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        160⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        160⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        161⤵
        Delays execution with timeout.exe
        
        PID:11232
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        161⤵
        Enumerates processes with tasklist
        
        PID:10328
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        161⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        161⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        162⤵
        
        PID:10476
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        162⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        162⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        162⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        163⤵
        Delays execution with timeout.exe
        
        PID:10952
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        163⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        163⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        163⤵
        
        PID:9084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        164⤵
        Delays execution with timeout.exe
        
        PID:4100
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        164⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        164⤵
        
        PID:10476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        164⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        165⤵
        
        PID:11052
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        165⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        165⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        165⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        166⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        166⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        166⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        167⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        167⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        167⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        167⤵
        
        PID:1816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        168⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        168⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:8884
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        168⤵
        Enumerates processes with tasklist
        
        PID:2160
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        168⤵
        
        PID:11052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        168⤵
        
        PID:3588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        169⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        169⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        169⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        169⤵
        
        PID:11272
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        170⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:11324
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        170⤵
        
        PID:11340
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        170⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        170⤵
        
        PID:11392
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        171⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:11440
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        171⤵
        
        PID:11456
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        171⤵
        
        PID:11464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        171⤵
        
        PID:11512
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        172⤵
        Delays execution with timeout.exe
        
        PID:11600
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        172⤵
        
        PID:11616
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        172⤵
        
        PID:11624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:11660
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        173⤵
        
        PID:11712
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        173⤵
        Enumerates processes with tasklist
        
        PID:11728
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        173⤵
        
        PID:11736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        173⤵
        
        PID:11772
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        174⤵
        Delays execution with timeout.exe
        
        PID:11828
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        174⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:11848
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        174⤵
        
        PID:11856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        174⤵
        
        PID:11896
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        175⤵
        Delays execution with timeout.exe
        
        PID:11952
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        175⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:11968
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        175⤵
        
        PID:11976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        175⤵
        
        PID:12012
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        176⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        176⤵
        
        PID:12076
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        176⤵
        
        PID:12084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        176⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        177⤵
        
        PID:12164
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        177⤵
        
        PID:12180
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        177⤵
        
        PID:12188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        177⤵
        
        PID:12232
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        178⤵
        Delays execution with timeout.exe
        
        PID:12276
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        178⤵
        Enumerates processes with tasklist
        
        PID:4368
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        178⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:11292
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        179⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        179⤵
        
        PID:11340
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        179⤵
        
        PID:11356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        179⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        180⤵
        
        PID:11464
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:11552
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        180⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        180⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        181⤵
        Delays execution with timeout.exe
        
        PID:11628
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        181⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        181⤵
        
        PID:11720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        181⤵
        
        PID:11728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        182⤵
        
        PID:11736
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        182⤵
        
        PID:11840
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        182⤵
        Enumerates processes with tasklist
        
        PID:6036
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        182⤵
        
        PID:11888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        182⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        183⤵
        
        PID:11972
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        183⤵
        
        PID:11992
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        183⤵
        
        PID:11976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        183⤵
        
        PID:12112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        184⤵
        
        PID:12076
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        184⤵
        
        PID:12176
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        184⤵
        
        PID:12220
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        184⤵
        
        PID:12184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        184⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        185⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        185⤵
        Enumerates processes with tasklist
        
        PID:11376
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        185⤵
        
        PID:11380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        185⤵
        
        PID:1136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        186⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        186⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        186⤵
        Enumerates processes with tasklist
        
        PID:11612
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        186⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        186⤵
        
        PID:5688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:11628
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        187⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        187⤵
        Enumerates processes with tasklist
        
        PID:5836
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        187⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        187⤵
        
        PID:11880
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        188⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        188⤵
        Enumerates processes with tasklist
        
        PID:12096
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        188⤵
        
        PID:11980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        188⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        189⤵
        
        PID:12192
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        189⤵
        Enumerates processes with tasklist
        
        PID:12204
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        189⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        189⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        190⤵
        Delays execution with timeout.exe
        
        PID:11356
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        190⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        190⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        190⤵
        
        PID:5312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:11612
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        191⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        191⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        191⤵
        
        PID:11564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        191⤵
        
        PID:9772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        
        PID:11968
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        192⤵
        Delays execution with timeout.exe
        
        PID:12096
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        192⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        192⤵
        
        PID:12164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        192⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        193⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:11452
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        193⤵
        
        PID:11356
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        193⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        193⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        194⤵
        Delays execution with timeout.exe
        
        PID:11860
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:11828
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        194⤵
        
        PID:11784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        194⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:7120
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        195⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:11452
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:9536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        195⤵
        
        PID:6320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        196⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        196⤵
        Delays execution with timeout.exe
        
        PID:6892
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        196⤵
        
        PID:12188
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        196⤵
        
        PID:12164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        196⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        197⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        197⤵
        Enumerates processes with tasklist
        
        PID:5348
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        197⤵
        
        PID:12068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        197⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        198⤵
        Delays execution with timeout.exe
        
        PID:9564
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq .exe"
        198⤵
        
        PID:11572
        
        C:\Windows\SysWOW64\find.exe
        
        find /i ".exe"
        198⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz"
        198⤵
        
        PID:11624
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6006599339700
        199⤵
        
        PID:5980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5b913150-15db-4550-b431-ec832424ce73.tmp

Filesize
6KB

MD5
bccf5287e2d4a628b50d8bc81ecf399e

SHA1
af1466de9a9971967a14c5ab5420c57562218766

SHA256
518479e51b3e1fdedeb23f13793c164f1ff826e4bc6c18c94b73a7dc19fc171a

SHA512
b339387d45cc5b441ba8c46fae6dfa0a6a52489c05965dfe1be77b8f8af2be9015ae0d479a94020c53242eaa77961d9dd1b6fc72518a34015a6a87531e6aa310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
e48ec14b19e1bb21fec3466a4a18be29

SHA1
a2180c2d52329bd4754efb7ce55564fc88d9dc4a

SHA256
2b4d7776b8756ecf307f2bd77a7c059ad4e7bba7d72eeca7e7fa4f78098a3372

SHA512
09e80935c59bff0c050a802448a8d6e922117e51c21eb8b316f37f226836e02f23b02d033b6f5d8108c7f7040dd7e27a0b83fcf84de4e38f5c029b91e162c12c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
498d5b7627e2d0036b4a472e0273fd55

SHA1
5f2d246ca599c0a651ade79d76f0c0592b374331

SHA256
7833e4188af3feef88bb690955dcd4286c0ee756e5a48125b5b8247b0c7626e9

SHA512
7eea6e524c06319e42402338ffa91cd765845ff4295ccedfae64a1b0b4c8182850e8c1939300fc659162b4224af44858e0e513c050f0c7b102305307ffd9a867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1cd1114d9a939c27022c1d98c5580512

SHA1
d6a1d5eff815c6d8a82899bccdc5472398631731

SHA256
4d417453fb6b37114dc9d48527056610f78b744833e5a99dfe2be0dc70446631

SHA512
42c2e78b55c369f0a2eaddcaf03ff871c5c40807b3c9db7eb3273df5a2bb75500be5dc6b0437a2c17b4b9a41456191c58f2f3b37e67b7d044a26f48b9aafd6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\tygfdfxxz.bat

Filesize
203B

MD5
b386b46393db2889c175c7f151c31f4e

SHA1
f81767749fdfa585b88e3fc5a80f9b3f65548a45

SHA256
de6ef20799ca9b5fabda14f85284b9602509fbf49c1ba57991e98502f5a558bd

SHA512
e9ac8d8d67add839b9bd13b52faf35ce6ada1e81a299b9b566f6c72e0badd0a4306145d9f5c60cadd500164d5b1e1eac585718b26d87fcb0815d4b486069a430

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
202KB

MD5
4d85a254fdaf6113c27f454898bc4b43

SHA1
47a9b19a2ad77612e780dd911c408bc89d71c0fe

SHA256
dd2b3eeed29150dada731be3f1b5fb61a23e86917ee129aae3fec2e8fd7b10e3

SHA512
7361dfaf41d3c2d3884e6ee14d9dfd4c987faaa373096be65c211b8f9bbdff548da350e83b81c9fea047056f20c165c114f3eccb0a7b098ccb17eada1ac17bdf

Download Submit
memory/2612-31-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/2612-0-0x0000000074E62000-0x0000000074E63000-memory.dmp

Filesize
4KB

Download
memory/2612-4-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/2612-3-0x0000000074E62000-0x0000000074E63000-memory.dmp

Filesize
4KB

Download
memory/2612-2-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/2612-1-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/3912-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4800-18-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/4800-29-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/4800-24-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/4800-23-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download