Malware Analysis Report

2024-11-30 19:45

Sample ID 220128-ygfyeabhen
Target 8c738710cff8cecb1f2e22c4255764e2288981b1d0d78f1d9afd715ab0188abc
SHA256 8c738710cff8cecb1f2e22c4255764e2288981b1d0d78f1d9afd715ab0188abc
Tags
rms persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c738710cff8cecb1f2e22c4255764e2288981b1d0d78f1d9afd715ab0188abc

Threat Level: Known bad

The file 8c738710cff8cecb1f2e22c4255764e2288981b1d0d78f1d9afd715ab0188abc was found to be: Known bad.

Malicious Activity Summary

rms persistence rat trojan

RMS

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Kills process with taskkill

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-28 19:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-28 19:45

Reported

2022-01-28 20:48

Platform

win7-en-20211208

Max time kernel

157s

Max time network

168s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8c738710cff8cecb1f2e22c4255764e2288981b1d0d78f1d9afd715ab0188abc.msi

Signatures

RMS

trojan rat rms

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation C:\ProgramData\LemonTrack Installer\winserv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\LemonTrack = "C:\\ProgramData\\LemonTrack Installer\\winserv.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76dbde.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76dbe0.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF7E8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76dbe0.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f76dbde.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF6BE.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\LemonTrack Installer\winserv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\LemonTrack Installer\winserv.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 524 wrote to memory of 1424 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIF7E8.tmp
PID 524 wrote to memory of 1424 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIF7E8.tmp
PID 524 wrote to memory of 1424 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIF7E8.tmp
PID 524 wrote to memory of 1424 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIF7E8.tmp
PID 524 wrote to memory of 1424 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIF7E8.tmp
PID 524 wrote to memory of 1424 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIF7E8.tmp
PID 524 wrote to memory of 1424 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIF7E8.tmp
PID 1424 wrote to memory of 832 N/A C:\Windows\Installer\MSIF7E8.tmp C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 1424 wrote to memory of 832 N/A C:\Windows\Installer\MSIF7E8.tmp C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 1424 wrote to memory of 832 N/A C:\Windows\Installer\MSIF7E8.tmp C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 1424 wrote to memory of 832 N/A C:\Windows\Installer\MSIF7E8.tmp C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 1424 wrote to memory of 832 N/A C:\Windows\Installer\MSIF7E8.tmp C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 1424 wrote to memory of 832 N/A C:\Windows\Installer\MSIF7E8.tmp C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 1424 wrote to memory of 832 N/A C:\Windows\Installer\MSIF7E8.tmp C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 832 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstall.exe
PID 1076 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstall.exe
PID 1076 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstall.exe
PID 1076 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstall.exe
PID 1076 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstall.exe
PID 1076 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstall.exe
PID 1076 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstall.exe
PID 1480 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe C:\ProgramData\LemonTrack Installer\exit.exe
PID 1480 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe C:\ProgramData\LemonTrack Installer\exit.exe
PID 1480 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe C:\ProgramData\LemonTrack Installer\exit.exe
PID 1480 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe C:\ProgramData\LemonTrack Installer\exit.exe
PID 1480 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe C:\ProgramData\LemonTrack Installer\exit.exe
PID 1480 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe C:\ProgramData\LemonTrack Installer\exit.exe
PID 1480 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe C:\ProgramData\LemonTrack Installer\exit.exe
PID 1232 wrote to memory of 912 N/A C:\ProgramData\LemonTrack Installer\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 912 N/A C:\ProgramData\LemonTrack Installer\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 912 N/A C:\ProgramData\LemonTrack Installer\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 912 N/A C:\ProgramData\LemonTrack Installer\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 912 N/A C:\ProgramData\LemonTrack Installer\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 912 N/A C:\ProgramData\LemonTrack Installer\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 912 N/A C:\ProgramData\LemonTrack Installer\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 276 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\LemonTrack Installer\winserv.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8c738710cff8cecb1f2e22c4255764e2288981b1d0d78f1d9afd715ab0188abc.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot14" "" "" "60919e20f" "0000000000000000" "0000000000000560" "00000000000003B8"

C:\Windows\Installer\MSIF7E8.tmp

"C:\Windows\Installer\MSIF7E8.tmp"

C:\Users\Admin\AppData\Local\Temp\exit.exe

"C:\Users\Admin\AppData\Local\Temp\exit.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c i.cmd

C:\Windows\SysWOW64\PING.EXE

ping www.cloudflare.com -n 3 -w 3000

C:\Windows\SysWOW64\PING.EXE

ping www.cloudflare.com -n 3 -w 1000

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

uninstall.exe x -p3KPnoNJ3ReME4bEU5W9APkKS5ErkR3tNRT -y

C:\ProgramData\LemonTrack Installer\exit.exe

"C:\ProgramData\LemonTrack Installer\exit.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c i.cmd

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "LemonTrack" /t REG_SZ /d "C:\ProgramData\LemonTrack Installer\winserv.exe"

C:\ProgramData\LemonTrack Installer\winserv.exe

"C:\ProgramData\LemonTrack Installer\winserv.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\ProgramData\LemonTrack Installer\winserv.exe

"C:\ProgramData\LemonTrack Installer\winserv.exe" -second

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.cloudflare.com udp
DE 159.69.48.50:5655 tcp
DE 159.69.48.50:5655 tcp
DE 159.69.48.50:5655 tcp
DE 159.69.48.50:5655 tcp
DE 159.69.48.50:5655 tcp
DE 159.69.48.50:5655 tcp
DE 159.69.48.50:5655 tcp
DE 159.69.48.50:5655 tcp
DE 159.69.48.50:5655 tcp

Files

memory/940-54-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

C:\Windows\Installer\MSIF7E8.tmp

MD5 0d3e25085527df0160893fdaa00f6565
SHA1 69f308a428c1e96f9a06dd33e21ff4dc13bdc865
SHA256 f74bedcb4ac33f7343fbbabec0f636b887d92c06e156ac765f345732cf6cbce8
SHA512 72a957c33fc434a99be40fe74220a83564565dec727f97c51f1a0b15736ebc193c3194c1f028053df393006e9c68eb61e973b17d8718a0941874dcd78b728bed

memory/1424-57-0x0000000076121000-0x0000000076123000-memory.dmp

C:\Windows\Installer\MSIF7E8.tmp

MD5 0d3e25085527df0160893fdaa00f6565
SHA1 69f308a428c1e96f9a06dd33e21ff4dc13bdc865
SHA256 f74bedcb4ac33f7343fbbabec0f636b887d92c06e156ac765f345732cf6cbce8
SHA512 72a957c33fc434a99be40fe74220a83564565dec727f97c51f1a0b15736ebc193c3194c1f028053df393006e9c68eb61e973b17d8718a0941874dcd78b728bed

\Users\Admin\AppData\Local\Temp\exit.exe

MD5 d2f314f78d0ac5a5c5dbd119a41bad5a
SHA1 49415ae9a0f85699349f13c95cb4fd3ce0eaf932
SHA256 cc81dd1eba5b887d09b0eecb8443916dea82dc58e1cf847f1653413fb804210c
SHA512 42cdb86ebd0e1ef75d9527ee946d43e87abda73f3480e04ef90efb8fbcc7db0b2d29b366fb8715b1cb19896a35dc0dae1a05a23b91032923fbd52ce193c72c5b

\Users\Admin\AppData\Local\Temp\exit.exe

MD5 d2f314f78d0ac5a5c5dbd119a41bad5a
SHA1 49415ae9a0f85699349f13c95cb4fd3ce0eaf932
SHA256 cc81dd1eba5b887d09b0eecb8443916dea82dc58e1cf847f1653413fb804210c
SHA512 42cdb86ebd0e1ef75d9527ee946d43e87abda73f3480e04ef90efb8fbcc7db0b2d29b366fb8715b1cb19896a35dc0dae1a05a23b91032923fbd52ce193c72c5b

\Users\Admin\AppData\Local\Temp\exit.exe

MD5 d2f314f78d0ac5a5c5dbd119a41bad5a
SHA1 49415ae9a0f85699349f13c95cb4fd3ce0eaf932
SHA256 cc81dd1eba5b887d09b0eecb8443916dea82dc58e1cf847f1653413fb804210c
SHA512 42cdb86ebd0e1ef75d9527ee946d43e87abda73f3480e04ef90efb8fbcc7db0b2d29b366fb8715b1cb19896a35dc0dae1a05a23b91032923fbd52ce193c72c5b

\Users\Admin\AppData\Local\Temp\exit.exe

MD5 d2f314f78d0ac5a5c5dbd119a41bad5a
SHA1 49415ae9a0f85699349f13c95cb4fd3ce0eaf932
SHA256 cc81dd1eba5b887d09b0eecb8443916dea82dc58e1cf847f1653413fb804210c
SHA512 42cdb86ebd0e1ef75d9527ee946d43e87abda73f3480e04ef90efb8fbcc7db0b2d29b366fb8715b1cb19896a35dc0dae1a05a23b91032923fbd52ce193c72c5b

C:\Users\Admin\AppData\Local\Temp\exit.exe

MD5 d2f314f78d0ac5a5c5dbd119a41bad5a
SHA1 49415ae9a0f85699349f13c95cb4fd3ce0eaf932
SHA256 cc81dd1eba5b887d09b0eecb8443916dea82dc58e1cf847f1653413fb804210c
SHA512 42cdb86ebd0e1ef75d9527ee946d43e87abda73f3480e04ef90efb8fbcc7db0b2d29b366fb8715b1cb19896a35dc0dae1a05a23b91032923fbd52ce193c72c5b

C:\Users\Admin\AppData\Local\Temp\i.cmd

MD5 fa86bc267e82d0e76651a617cdde2462
SHA1 3d3b1d6c458d2b605b1e3c8996c882ff1eeaf969
SHA256 59d825f5965b4cfecdc67f6afec973d41b5fb2ee3f2c2fe5575b5cca4eddbf1d
SHA512 373b81863e1b31382841755f5cdf5670219d0b6e3868d29e4233ef4e468262a78ba12a7132a33bebccb934eac136f149bfd851470f0e208d57aba5d7b2523e5d

C:\Users\Admin\AppData\Local\Temp\kernel.dll

MD5 573a2619af8c3de0c3f376d8b100db69
SHA1 073dc2aa93fcd1902fb2d823e673b64cac6fd8de
SHA256 17b20aa770ccf250b5aded470fbbaa329856543022ba21f993d5fa02ebb670c7
SHA512 c7cbcd95398a2ce1ee77106d76079101a7af05ddaefed1076db76b64a38488d32cef0e0b2eb1c8cc63b9fb75d24a0756c1af8ae7ec8ce57e21d03da42305cb53

\Users\Admin\AppData\Local\Temp\uninstall.exe

MD5 573a2619af8c3de0c3f376d8b100db69
SHA1 073dc2aa93fcd1902fb2d823e673b64cac6fd8de
SHA256 17b20aa770ccf250b5aded470fbbaa329856543022ba21f993d5fa02ebb670c7
SHA512 c7cbcd95398a2ce1ee77106d76079101a7af05ddaefed1076db76b64a38488d32cef0e0b2eb1c8cc63b9fb75d24a0756c1af8ae7ec8ce57e21d03da42305cb53

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

MD5 573a2619af8c3de0c3f376d8b100db69
SHA1 073dc2aa93fcd1902fb2d823e673b64cac6fd8de
SHA256 17b20aa770ccf250b5aded470fbbaa329856543022ba21f993d5fa02ebb670c7
SHA512 c7cbcd95398a2ce1ee77106d76079101a7af05ddaefed1076db76b64a38488d32cef0e0b2eb1c8cc63b9fb75d24a0756c1af8ae7ec8ce57e21d03da42305cb53

\ProgramData\LemonTrack Installer\exit.exe

MD5 d2f314f78d0ac5a5c5dbd119a41bad5a
SHA1 49415ae9a0f85699349f13c95cb4fd3ce0eaf932
SHA256 cc81dd1eba5b887d09b0eecb8443916dea82dc58e1cf847f1653413fb804210c
SHA512 42cdb86ebd0e1ef75d9527ee946d43e87abda73f3480e04ef90efb8fbcc7db0b2d29b366fb8715b1cb19896a35dc0dae1a05a23b91032923fbd52ce193c72c5b

\ProgramData\LemonTrack Installer\exit.exe

MD5 d2f314f78d0ac5a5c5dbd119a41bad5a
SHA1 49415ae9a0f85699349f13c95cb4fd3ce0eaf932
SHA256 cc81dd1eba5b887d09b0eecb8443916dea82dc58e1cf847f1653413fb804210c
SHA512 42cdb86ebd0e1ef75d9527ee946d43e87abda73f3480e04ef90efb8fbcc7db0b2d29b366fb8715b1cb19896a35dc0dae1a05a23b91032923fbd52ce193c72c5b

\ProgramData\LemonTrack Installer\exit.exe

MD5 d2f314f78d0ac5a5c5dbd119a41bad5a
SHA1 49415ae9a0f85699349f13c95cb4fd3ce0eaf932
SHA256 cc81dd1eba5b887d09b0eecb8443916dea82dc58e1cf847f1653413fb804210c
SHA512 42cdb86ebd0e1ef75d9527ee946d43e87abda73f3480e04ef90efb8fbcc7db0b2d29b366fb8715b1cb19896a35dc0dae1a05a23b91032923fbd52ce193c72c5b

\ProgramData\LemonTrack Installer\exit.exe

MD5 d2f314f78d0ac5a5c5dbd119a41bad5a
SHA1 49415ae9a0f85699349f13c95cb4fd3ce0eaf932
SHA256 cc81dd1eba5b887d09b0eecb8443916dea82dc58e1cf847f1653413fb804210c
SHA512 42cdb86ebd0e1ef75d9527ee946d43e87abda73f3480e04ef90efb8fbcc7db0b2d29b366fb8715b1cb19896a35dc0dae1a05a23b91032923fbd52ce193c72c5b

C:\ProgramData\LemonTrack Installer\exit.exe

MD5 d2f314f78d0ac5a5c5dbd119a41bad5a
SHA1 49415ae9a0f85699349f13c95cb4fd3ce0eaf932
SHA256 cc81dd1eba5b887d09b0eecb8443916dea82dc58e1cf847f1653413fb804210c
SHA512 42cdb86ebd0e1ef75d9527ee946d43e87abda73f3480e04ef90efb8fbcc7db0b2d29b366fb8715b1cb19896a35dc0dae1a05a23b91032923fbd52ce193c72c5b

C:\ProgramData\LemonTrack Installer\i.cmd

MD5 fc3190637744ffbc13dd3a43c49f2acb
SHA1 cb8f1f1036839ea85086d7d9849a98587bdc33e2
SHA256 ea9a0f4ec69452e85dad7d18396d5471e8edc4109e5ce2e4602a6fa097c466f2
SHA512 ed1bd58ac2d4252e0d78376eb31b066819b6efdd2a91b3ff0fa6c4e86f2b5858de3108b40d810c1163116f5866c6ae2c6d27998717d82a636b4587c802763dd0

\ProgramData\LemonTrack Installer\winserv.exe

MD5 cf2ab077a46219b6ce4a53517dd489ea
SHA1 651b8d1377910e4728e85dcd231e269313ab9e1d
SHA256 609b0a416f9b16a6df9b967dc32cd739402af31566e019a8fb8abdf3cb573e30
SHA512 53fb1ac822467168ea8e7abdd72c78cdd90070b10773ce8c700c6784ab4cc3a03eb53887d158ce3a27779a5fbcf3300d2ccbedab79a34bfd42ddc91f68dbdad7

C:\ProgramData\LemonTrack Installer\winserv.exe

MD5 cf2ab077a46219b6ce4a53517dd489ea
SHA1 651b8d1377910e4728e85dcd231e269313ab9e1d
SHA256 609b0a416f9b16a6df9b967dc32cd739402af31566e019a8fb8abdf3cb573e30
SHA512 53fb1ac822467168ea8e7abdd72c78cdd90070b10773ce8c700c6784ab4cc3a03eb53887d158ce3a27779a5fbcf3300d2ccbedab79a34bfd42ddc91f68dbdad7

C:\ProgramData\LemonTrack Installer\winserv.exe

MD5 cf2ab077a46219b6ce4a53517dd489ea
SHA1 651b8d1377910e4728e85dcd231e269313ab9e1d
SHA256 609b0a416f9b16a6df9b967dc32cd739402af31566e019a8fb8abdf3cb573e30
SHA512 53fb1ac822467168ea8e7abdd72c78cdd90070b10773ce8c700c6784ab4cc3a03eb53887d158ce3a27779a5fbcf3300d2ccbedab79a34bfd42ddc91f68dbdad7

memory/276-87-0x0000000000400000-0x0000000000E2B000-memory.dmp

memory/276-88-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/276-89-0x0000000002A70000-0x0000000002A71000-memory.dmp

C:\ProgramData\LemonTrack Installer\winserv.exe

MD5 cf2ab077a46219b6ce4a53517dd489ea
SHA1 651b8d1377910e4728e85dcd231e269313ab9e1d
SHA256 609b0a416f9b16a6df9b967dc32cd739402af31566e019a8fb8abdf3cb573e30
SHA512 53fb1ac822467168ea8e7abdd72c78cdd90070b10773ce8c700c6784ab4cc3a03eb53887d158ce3a27779a5fbcf3300d2ccbedab79a34bfd42ddc91f68dbdad7

memory/1676-94-0x0000000000270000-0x0000000000271000-memory.dmp

C:\ProgramData\LemonTrack Installer\settings.dat

MD5 a5716c3550a2e7d88cc7973657ad4216
SHA1 ecb98f8414278710642c408966816a8df4375631
SHA256 f4cd8c0da6b2da44c43ec5c9a35155f0b47a2636954cb0329c8c14d66f4ecd5e
SHA512 65c433cd50fa8287dcd49cc49283fc5bf849f94cffbe67e78193eef9127b1899f2cff2d68a950d077e998b2a6f02f910efe7fa38f9a2eacffe4fa6f48b72a41b

memory/1676-105-0x0000000002710000-0x0000000002910000-memory.dmp

memory/1676-106-0x0000000002710000-0x0000000002910000-memory.dmp

memory/1676-107-0x0000000002710000-0x0000000002BE0000-memory.dmp

memory/1676-108-0x0000000002710000-0x0000000002BE0000-memory.dmp

memory/1676-109-0x0000000002710000-0x0000000002BE0000-memory.dmp

memory/1676-111-0x0000000004F20000-0x0000000004F21000-memory.dmp

memory/1676-110-0x0000000002710000-0x0000000002BE0000-memory.dmp

memory/1676-112-0x0000000005540000-0x0000000005541000-memory.dmp

memory/1676-113-0x0000000002710000-0x0000000002BE0000-memory.dmp

memory/1676-116-0x0000000005590000-0x0000000005591000-memory.dmp

memory/1676-117-0x0000000005630000-0x0000000005631000-memory.dmp

memory/1676-115-0x0000000004F70000-0x0000000005080000-memory.dmp

memory/1676-119-0x00000000065A0000-0x00000000066FC000-memory.dmp

memory/1676-118-0x00000000059F0000-0x00000000059F1000-memory.dmp

memory/1676-120-0x00000000065A0000-0x00000000066FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-28 19:45

Reported

2022-01-28 20:48

Platform

win10-en-20211208

Max time kernel

159s

Max time network

163s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8c738710cff8cecb1f2e22c4255764e2288981b1d0d78f1d9afd715ab0188abc.msi

Signatures

RMS

trojan rat rms

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation C:\ProgramData\LemonTrack Installer\winserv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\LemonTrack = "C:\\ProgramData\\LemonTrack Installer\\winserv.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2C66.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2E1E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f771c59.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f771c59.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc \??\c:\windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A \??\c:\windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 \??\c:\windows\system32\svchost.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections \??\c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache \??\c:\windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\ProgramData\LemonTrack Installer\winserv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall" C:\ProgramData\LemonTrack Installer\winserv.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\LemonTrack Installer\winserv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3164 wrote to memory of 1752 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3164 wrote to memory of 1752 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3164 wrote to memory of 756 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI2E1E.tmp
PID 3164 wrote to memory of 756 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI2E1E.tmp
PID 3164 wrote to memory of 756 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI2E1E.tmp
PID 756 wrote to memory of 2276 N/A C:\Windows\Installer\MSI2E1E.tmp C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 756 wrote to memory of 2276 N/A C:\Windows\Installer\MSI2E1E.tmp C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 756 wrote to memory of 2276 N/A C:\Windows\Installer\MSI2E1E.tmp C:\Users\Admin\AppData\Local\Temp\exit.exe
PID 2276 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2984 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2984 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2984 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2984 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2984 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2984 wrote to memory of 692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstall.exe
PID 2984 wrote to memory of 692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstall.exe
PID 2984 wrote to memory of 692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstall.exe
PID 692 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe C:\ProgramData\LemonTrack Installer\exit.exe
PID 692 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe C:\ProgramData\LemonTrack Installer\exit.exe
PID 692 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe C:\ProgramData\LemonTrack Installer\exit.exe
PID 3196 wrote to memory of 1828 N/A C:\ProgramData\LemonTrack Installer\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 3196 wrote to memory of 1828 N/A C:\ProgramData\LemonTrack Installer\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 3196 wrote to memory of 1828 N/A C:\ProgramData\LemonTrack Installer\exit.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1828 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1828 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1828 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\LemonTrack Installer\winserv.exe
PID 1828 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\LemonTrack Installer\winserv.exe
PID 1828 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\LemonTrack Installer\winserv.exe
PID 1828 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1828 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8c738710cff8cecb1f2e22c4255764e2288981b1d0d78f1d9afd715ab0188abc.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\Installer\MSI2E1E.tmp

"C:\Windows\Installer\MSI2E1E.tmp"

C:\Users\Admin\AppData\Local\Temp\exit.exe

"C:\Users\Admin\AppData\Local\Temp\exit.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c i.cmd

C:\Windows\SysWOW64\PING.EXE

ping www.cloudflare.com -n 3 -w 3000

C:\Windows\SysWOW64\PING.EXE

ping www.cloudflare.com -n 3 -w 1000

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

uninstall.exe x -p3KPnoNJ3ReME4bEU5W9APkKS5ErkR3tNRT -y

C:\ProgramData\LemonTrack Installer\exit.exe

"C:\ProgramData\LemonTrack Installer\exit.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c i.cmd

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "LemonTrack" /t REG_SZ /d "C:\ProgramData\LemonTrack Installer\winserv.exe"

C:\ProgramData\LemonTrack Installer\winserv.exe

"C:\ProgramData\LemonTrack Installer\winserv.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\ProgramData\LemonTrack Installer\winserv.exe

"C:\ProgramData\LemonTrack Installer\winserv.exe" -second

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "rundll32.exe"

Network

Country Destination Domain Proto
FR 2.18.105.186:80 go.microsoft.com tcp
US 8.8.8.8:53 dmd.metaservices.microsoft.com udp
NL 20.86.173.234:80 dmd.metaservices.microsoft.com tcp
FR 2.18.105.186:80 go.microsoft.com tcp
FR 2.18.105.186:80 go.microsoft.com tcp
FR 2.18.105.186:80 go.microsoft.com tcp
US 8.8.8.8:53 www.cloudflare.com udp
DE 159.69.48.50:5655 tcp
DE 159.69.48.50:5655 tcp
DE 159.69.48.50:5655 tcp
DE 159.69.48.50:5655 tcp
DE 159.69.48.50:5655 tcp
DE 159.69.48.50:5655 tcp
DE 159.69.48.50:5655 tcp
DE 159.69.48.50:5655 tcp

Files

C:\Windows\Installer\MSI2E1E.tmp

MD5 0d3e25085527df0160893fdaa00f6565
SHA1 69f308a428c1e96f9a06dd33e21ff4dc13bdc865
SHA256 f74bedcb4ac33f7343fbbabec0f636b887d92c06e156ac765f345732cf6cbce8
SHA512 72a957c33fc434a99be40fe74220a83564565dec727f97c51f1a0b15736ebc193c3194c1f028053df393006e9c68eb61e973b17d8718a0941874dcd78b728bed

C:\Windows\Installer\MSI2E1E.tmp

MD5 0d3e25085527df0160893fdaa00f6565
SHA1 69f308a428c1e96f9a06dd33e21ff4dc13bdc865
SHA256 f74bedcb4ac33f7343fbbabec0f636b887d92c06e156ac765f345732cf6cbce8
SHA512 72a957c33fc434a99be40fe74220a83564565dec727f97c51f1a0b15736ebc193c3194c1f028053df393006e9c68eb61e973b17d8718a0941874dcd78b728bed

C:\Users\Admin\AppData\Local\Temp\exit.exe

MD5 d2f314f78d0ac5a5c5dbd119a41bad5a
SHA1 49415ae9a0f85699349f13c95cb4fd3ce0eaf932
SHA256 cc81dd1eba5b887d09b0eecb8443916dea82dc58e1cf847f1653413fb804210c
SHA512 42cdb86ebd0e1ef75d9527ee946d43e87abda73f3480e04ef90efb8fbcc7db0b2d29b366fb8715b1cb19896a35dc0dae1a05a23b91032923fbd52ce193c72c5b

C:\Users\Admin\AppData\Local\Temp\exit.exe

MD5 d2f314f78d0ac5a5c5dbd119a41bad5a
SHA1 49415ae9a0f85699349f13c95cb4fd3ce0eaf932
SHA256 cc81dd1eba5b887d09b0eecb8443916dea82dc58e1cf847f1653413fb804210c
SHA512 42cdb86ebd0e1ef75d9527ee946d43e87abda73f3480e04ef90efb8fbcc7db0b2d29b366fb8715b1cb19896a35dc0dae1a05a23b91032923fbd52ce193c72c5b

C:\Users\Admin\AppData\Local\Temp\i.cmd

MD5 fa86bc267e82d0e76651a617cdde2462
SHA1 3d3b1d6c458d2b605b1e3c8996c882ff1eeaf969
SHA256 59d825f5965b4cfecdc67f6afec973d41b5fb2ee3f2c2fe5575b5cca4eddbf1d
SHA512 373b81863e1b31382841755f5cdf5670219d0b6e3868d29e4233ef4e468262a78ba12a7132a33bebccb934eac136f149bfd851470f0e208d57aba5d7b2523e5d

\??\Volume{2b67a87f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{063229d3-8fe6-4657-8e25-7e6713018296}_OnDiskSnapshotProp

MD5 d834d880cfe91d0784cc0300ee849f9a
SHA1 0e1fe9f1310e8248e28e555a76e0c86870ca32d0
SHA256 aa623bd1ad1e86960ab237b957d086d3f1e4cf4cf0371ffe7f620b73a99d5b9c
SHA512 2579ddac759b41089b8b1c7908f7f16615853dc7e917e9b592a7e6d816f50af61cbe98421bed321924d76f9f7da9bd434d74aaa0307d16494e37c9041c4c176b

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 0ae1e2abd1e3eb6fcfbe1751fcf8b56f
SHA1 7a5e0e16f595031652ce12b2967a916e2c2e34fe
SHA256 0a5cd53e3fb9059a5686f7567cd3c9c56ff74efbb9933d7752bc98f61bba9155
SHA512 16202320c7f2b2177982a5959643ec7c4ee718d1c20340861b6295c6c721d43614caf8da07b3d9c4ef71e62320f88bf6036a97cfc2d7805fac3146d16516ec64

C:\Users\Admin\AppData\Local\Temp\kernel.dll

MD5 573a2619af8c3de0c3f376d8b100db69
SHA1 073dc2aa93fcd1902fb2d823e673b64cac6fd8de
SHA256 17b20aa770ccf250b5aded470fbbaa329856543022ba21f993d5fa02ebb670c7
SHA512 c7cbcd95398a2ce1ee77106d76079101a7af05ddaefed1076db76b64a38488d32cef0e0b2eb1c8cc63b9fb75d24a0756c1af8ae7ec8ce57e21d03da42305cb53

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

MD5 573a2619af8c3de0c3f376d8b100db69
SHA1 073dc2aa93fcd1902fb2d823e673b64cac6fd8de
SHA256 17b20aa770ccf250b5aded470fbbaa329856543022ba21f993d5fa02ebb670c7
SHA512 c7cbcd95398a2ce1ee77106d76079101a7af05ddaefed1076db76b64a38488d32cef0e0b2eb1c8cc63b9fb75d24a0756c1af8ae7ec8ce57e21d03da42305cb53

C:\ProgramData\LemonTrack Installer\exit.exe

MD5 d2f314f78d0ac5a5c5dbd119a41bad5a
SHA1 49415ae9a0f85699349f13c95cb4fd3ce0eaf932
SHA256 cc81dd1eba5b887d09b0eecb8443916dea82dc58e1cf847f1653413fb804210c
SHA512 42cdb86ebd0e1ef75d9527ee946d43e87abda73f3480e04ef90efb8fbcc7db0b2d29b366fb8715b1cb19896a35dc0dae1a05a23b91032923fbd52ce193c72c5b

C:\ProgramData\LemonTrack Installer\exit.exe

MD5 d2f314f78d0ac5a5c5dbd119a41bad5a
SHA1 49415ae9a0f85699349f13c95cb4fd3ce0eaf932
SHA256 cc81dd1eba5b887d09b0eecb8443916dea82dc58e1cf847f1653413fb804210c
SHA512 42cdb86ebd0e1ef75d9527ee946d43e87abda73f3480e04ef90efb8fbcc7db0b2d29b366fb8715b1cb19896a35dc0dae1a05a23b91032923fbd52ce193c72c5b

C:\ProgramData\LemonTrack Installer\i.cmd

MD5 fc3190637744ffbc13dd3a43c49f2acb
SHA1 cb8f1f1036839ea85086d7d9849a98587bdc33e2
SHA256 ea9a0f4ec69452e85dad7d18396d5471e8edc4109e5ce2e4602a6fa097c466f2
SHA512 ed1bd58ac2d4252e0d78376eb31b066819b6efdd2a91b3ff0fa6c4e86f2b5858de3108b40d810c1163116f5866c6ae2c6d27998717d82a636b4587c802763dd0

C:\ProgramData\LemonTrack Installer\winserv.exe

MD5 cf2ab077a46219b6ce4a53517dd489ea
SHA1 651b8d1377910e4728e85dcd231e269313ab9e1d
SHA256 609b0a416f9b16a6df9b967dc32cd739402af31566e019a8fb8abdf3cb573e30
SHA512 53fb1ac822467168ea8e7abdd72c78cdd90070b10773ce8c700c6784ab4cc3a03eb53887d158ce3a27779a5fbcf3300d2ccbedab79a34bfd42ddc91f68dbdad7

C:\ProgramData\LemonTrack Installer\winserv.exe

MD5 cf2ab077a46219b6ce4a53517dd489ea
SHA1 651b8d1377910e4728e85dcd231e269313ab9e1d
SHA256 609b0a416f9b16a6df9b967dc32cd739402af31566e019a8fb8abdf3cb573e30
SHA512 53fb1ac822467168ea8e7abdd72c78cdd90070b10773ce8c700c6784ab4cc3a03eb53887d158ce3a27779a5fbcf3300d2ccbedab79a34bfd42ddc91f68dbdad7

C:\ProgramData\LemonTrack Installer\winserv.exe

MD5 cf2ab077a46219b6ce4a53517dd489ea
SHA1 651b8d1377910e4728e85dcd231e269313ab9e1d
SHA256 609b0a416f9b16a6df9b967dc32cd739402af31566e019a8fb8abdf3cb573e30
SHA512 53fb1ac822467168ea8e7abdd72c78cdd90070b10773ce8c700c6784ab4cc3a03eb53887d158ce3a27779a5fbcf3300d2ccbedab79a34bfd42ddc91f68dbdad7

memory/1868-489-0x0000000004650000-0x0000000004651000-memory.dmp

memory/1868-490-0x00000000046D0000-0x00000000046D1000-memory.dmp

memory/1088-491-0x0000000004510000-0x0000000004511000-memory.dmp

C:\ProgramData\LemonTrack Installer\settings.dat

MD5 a5716c3550a2e7d88cc7973657ad4216
SHA1 ecb98f8414278710642c408966816a8df4375631
SHA256 f4cd8c0da6b2da44c43ec5c9a35155f0b47a2636954cb0329c8c14d66f4ecd5e
SHA512 65c433cd50fa8287dcd49cc49283fc5bf849f94cffbe67e78193eef9127b1899f2cff2d68a950d077e998b2a6f02f910efe7fa38f9a2eacffe4fa6f48b72a41b

memory/1088-499-0x0000000004990000-0x0000000004991000-memory.dmp

memory/1088-502-0x00000000052B0000-0x00000000052B1000-memory.dmp

memory/1088-501-0x0000000005160000-0x0000000005161000-memory.dmp

memory/1088-500-0x00000000049A0000-0x00000000049A1000-memory.dmp

memory/1088-498-0x0000000004840000-0x0000000004841000-memory.dmp

memory/1088-503-0x0000000004960000-0x0000000004961000-memory.dmp

memory/1088-504-0x0000000004980000-0x0000000004981000-memory.dmp

memory/1088-505-0x0000000005640000-0x0000000005641000-memory.dmp

memory/1088-506-0x0000000005790000-0x0000000005791000-memory.dmp

memory/1088-507-0x0000000006F10000-0x0000000006F11000-memory.dmp

memory/1088-508-0x0000000007110000-0x0000000007111000-memory.dmp

memory/1088-509-0x00000000073A0000-0x0000000007471000-memory.dmp

memory/1088-510-0x00000000074F0000-0x00000000074F1000-memory.dmp