4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

Resubmissions

24-02-2022 16:15

220224-tql4kadcf3 10

24-02-2022 03:08

220224-dmw7csbgg3 10

Analysis

max time kernel
4294180s
max time network
131s
platform
windows7_x64
resource
win7-20220223-en
submitted
24-02-2022 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43564aa0-94f8-11ec-9d1d-005056a01a83.exe
Size

3.1MB
MD5

d5d2c4ac6c724cd63b69ca054713e278
SHA1

f32d791ec9e6385a91b45942c230f52aff1626df
SHA256

4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
SHA512

9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_me.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> </head> <body> "The only thing that we learn from new elections is we learned nothing from the old!" <hr> <hr> Thank you for your vote! All your files, documents, photoes, videos, databases etc. have been successfully encrypted! Now your computer has a special ID: 012426d0-951f-11ec-ba62-4ea9000dfafc <hr> Do not try to decrypt then by yourself - it's impossible! It's just a business and we care only about getting benefits. The only way to get your files back is to contact us and get further instuctions. To prove that we have a decryptor send us any encrypted file (less than 650 kbytes) and we'll send you it back being decrypted. This is our guarantee. NOTE: Do not send file with sensitive content. In the email write us your computer's special ID (mentioned above). <hr> <hr> So if you want to get your files back contact us: 1) [email protected] 2) [email protected] - if we dont't answer you during 3 days <hr> Have a nice day! </body> </html>

Emails

[email protected]

Signatures

Executes dropped EXE 64 IoCs

Processes:

01371290-951f-11ec-ba64-4ea9000dfafc.exe012a6860-951f-11ec-ba62-4ea9000dfafc.exe0128e1c0-951f-11ec-ba62-4ea9000dfafc.exe01314630-951f-11ec-ba64-4ea9000dfafc.execmd.exe013ba670-951f-11ec-ba67-4ea9000dfafc.exe012add90-951f-11ec-ba62-4ea9000dfafc.exe0130f810-951f-11ec-ba64-4ea9000dfafc.execmd.execmd.exe012e11e0-951f-11ec-ba63-4ea9000dfafc.exe013eb3b0-951f-11ec-ba67-4ea9000dfafc.exe0142ab50-951f-11ec-ba76-4ea9000dfafc.exe013b5850-951f-11ec-ba67-4ea9000dfafc.exe012e11e0-951f-11ec-ba62-4ea9000dfafc.exe0142ab50-951f-11ec-ba77-4ea9000dfafc.exe014395b0-951f-11ec-ba87-4ea9000dfafc.exe0142ab50-951f-11ec-ba80-4ea9000dfafc.exe0147db70-951f-11ec-ba8f-4ea9000dfafc.exe015e2290-951f-11ec-bb6c-4ea9000dfafc.exe012a8f70-951f-11ec-ba62-4ea9000dfafc.exe014dcee0-951f-11ec-badf-4ea9000dfafc.exe015e49a0-951f-11ec-bb7e-4ea9000dfafc.exe014d80c0-951f-11ec-badb-4ea9000dfafc.exe014bac00-951f-11ec-babe-4ea9000dfafc.exe0153c250-951f-11ec-bb1d-4ea9000dfafc.exe0158cb60-951f-11ec-bb3e-4ea9000dfafc.exe012a4150-951f-11ec-ba62-4ea9000dfafc.exe0159b5c0-951f-11ec-bb4c-4ea9000dfafc.exe01568170-951f-11ec-bb35-4ea9000dfafc.exe014ff1c0-951f-11ec-bafd-4ea9000dfafc.exe015e49a0-951f-11ec-bb86-4ea9000dfafc.exe0149d740-951f-11ec-baa7-4ea9000dfafc.exe0149fe50-951f-11ec-baa8-4ea9000dfafc.exe0157e100-951f-11ec-bb36-4ea9000dfafc.exe014bd310-951f-11ec-babe-4ea9000dfafc.exe015d3830-951f-11ec-bb63-4ea9000dfafc.exe014bfa20-951f-11ec-babf-4ea9000dfafc.exe014b5de0-951f-11ec-bab6-4ea9000dfafc.exe015aa020-951f-11ec-bb51-4ea9000dfafc.exe0160baa0-951f-11ec-bb96-4ea9000dfafc.exe013edac0-951f-11ec-ba68-4ea9000dfafc.exe013d2d10-951f-11ec-ba67-4ea9000dfafc.exe0161f320-951f-11ec-bba1-4ea9000dfafc.exe0163c7e0-951f-11ec-bba2-4ea9000dfafc.exe0164b240-951f-11ec-bbac-4ea9000dfafc.exe015cc300-951f-11ec-bb61-4ea9000dfafc.exe013f4ff0-951f-11ec-ba69-4ea9000dfafc.exe013f7700-951f-11ec-ba6a-4ea9000dfafc.exe013f4ff0-951f-11ec-ba68-4ea9000dfafc.exe014124b0-951f-11ec-ba6d-4ea9000dfafc.exe0163a0d0-951f-11ec-bba2-4ea9000dfafc.exe01401340-951f-11ec-ba6a-4ea9000dfafc.exe014124b0-951f-11ec-ba6b-4ea9000dfafc.exe0140fda0-951f-11ec-ba6a-4ea9000dfafc.exe013f4ff0-951f-11ec-ba6a-4ea9000dfafc.exe014124b0-951f-11ec-ba6c-4ea9000dfafc.exe0142ab50-951f-11ec-ba71-4ea9000dfafc.exe0153c250-951f-11ec-bb1e-4ea9000dfafc.exe0142ab50-951f-11ec-ba6e-4ea9000dfafc.exe01425d30-951f-11ec-ba6d-4ea9000dfafc.exe0142ab50-951f-11ec-ba72-4ea9000dfafc.exe0142ab50-951f-11ec-ba73-4ea9000dfafc.exe0142ab50-951f-11ec-ba6f-4ea9000dfafc.exe

pid	process
2360	01371290-951f-11ec-ba64-4ea9000dfafc.exe
2440	012a6860-951f-11ec-ba62-4ea9000dfafc.exe
2464	0128e1c0-951f-11ec-ba62-4ea9000dfafc.exe
2528	01314630-951f-11ec-ba64-4ea9000dfafc.exe
2596	cmd.exe
2664	013ba670-951f-11ec-ba67-4ea9000dfafc.exe
2716	012add90-951f-11ec-ba62-4ea9000dfafc.exe
2748	0130f810-951f-11ec-ba64-4ea9000dfafc.exe
2836	cmd.exe
2860	cmd.exe
2916	012e11e0-951f-11ec-ba63-4ea9000dfafc.exe
2936	013eb3b0-951f-11ec-ba67-4ea9000dfafc.exe
2976	0142ab50-951f-11ec-ba76-4ea9000dfafc.exe
3024	013b5850-951f-11ec-ba67-4ea9000dfafc.exe
3060	012e11e0-951f-11ec-ba62-4ea9000dfafc.exe
2172	0142ab50-951f-11ec-ba77-4ea9000dfafc.exe
6508	014395b0-951f-11ec-ba87-4ea9000dfafc.exe
6532	0142ab50-951f-11ec-ba80-4ea9000dfafc.exe
6660	0147db70-951f-11ec-ba8f-4ea9000dfafc.exe
6716	015e2290-951f-11ec-bb6c-4ea9000dfafc.exe
6984	012a8f70-951f-11ec-ba62-4ea9000dfafc.exe
6976	014dcee0-951f-11ec-badf-4ea9000dfafc.exe
6992	015e49a0-951f-11ec-bb7e-4ea9000dfafc.exe
7000	014d80c0-951f-11ec-badb-4ea9000dfafc.exe
7024	014bac00-951f-11ec-babe-4ea9000dfafc.exe
7048	0153c250-951f-11ec-bb1d-4ea9000dfafc.exe
7096	0158cb60-951f-11ec-bb3e-4ea9000dfafc.exe
7116	012a4150-951f-11ec-ba62-4ea9000dfafc.exe
7124	0159b5c0-951f-11ec-bb4c-4ea9000dfafc.exe
7132	01568170-951f-11ec-bb35-4ea9000dfafc.exe
7164	014ff1c0-951f-11ec-bafd-4ea9000dfafc.exe
2012	015e49a0-951f-11ec-bb86-4ea9000dfafc.exe
2116	0149d740-951f-11ec-baa7-4ea9000dfafc.exe
2140	0149fe50-951f-11ec-baa8-4ea9000dfafc.exe
2120	0157e100-951f-11ec-bb36-4ea9000dfafc.exe
2104	014bd310-951f-11ec-babe-4ea9000dfafc.exe
2084	015d3830-951f-11ec-bb63-4ea9000dfafc.exe
2068	014bfa20-951f-11ec-babf-4ea9000dfafc.exe
268	014b5de0-951f-11ec-bab6-4ea9000dfafc.exe
2480	015aa020-951f-11ec-bb51-4ea9000dfafc.exe
2612	0160baa0-951f-11ec-bb96-4ea9000dfafc.exe
2856	013edac0-951f-11ec-ba68-4ea9000dfafc.exe
3044	013d2d10-951f-11ec-ba67-4ea9000dfafc.exe
1720	0161f320-951f-11ec-bba1-4ea9000dfafc.exe
2380	0163c7e0-951f-11ec-bba2-4ea9000dfafc.exe
2228	0164b240-951f-11ec-bbac-4ea9000dfafc.exe
2536	015cc300-951f-11ec-bb61-4ea9000dfafc.exe
2676	013f4ff0-951f-11ec-ba69-4ea9000dfafc.exe
2548	013f7700-951f-11ec-ba6a-4ea9000dfafc.exe
2668	013f4ff0-951f-11ec-ba68-4ea9000dfafc.exe
2376	014124b0-951f-11ec-ba6d-4ea9000dfafc.exe
1740	0163a0d0-951f-11ec-bba2-4ea9000dfafc.exe
3068	01401340-951f-11ec-ba6a-4ea9000dfafc.exe
1064	014124b0-951f-11ec-ba6b-4ea9000dfafc.exe
2192	0140fda0-951f-11ec-ba6a-4ea9000dfafc.exe
2336	013f4ff0-951f-11ec-ba6a-4ea9000dfafc.exe
2292	014124b0-951f-11ec-ba6c-4ea9000dfafc.exe
2284	0142ab50-951f-11ec-ba71-4ea9000dfafc.exe
2416	0153c250-951f-11ec-bb1e-4ea9000dfafc.exe
2332	0142ab50-951f-11ec-ba6e-4ea9000dfafc.exe
2576	01425d30-951f-11ec-ba6d-4ea9000dfafc.exe
2528	0142ab50-951f-11ec-ba72-4ea9000dfafc.exe
2484	0142ab50-951f-11ec-ba73-4ea9000dfafc.exe
2564	0142ab50-951f-11ec-ba6f-4ea9000dfafc.exe

Loads dropped DLL 64 IoCs

Processes:

43564aa0-94f8-11ec-9d1d-005056a01a83.exe

pid	process
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe
972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2740 timeout.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

015d5f40-951f-11ec-bb65-4ea9000dfafc.exe

pid process

3360 015d5f40-951f-11ec-bb65-4ea9000dfafc.exe

pid	process
2740	timeout.exe

pid	process
3360	015d5f40-951f-11ec-bb65-4ea9000dfafc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

43564aa0-94f8-11ec-9d1d-005056a01a83.exe

description	pid	process	target process
PID 972 wrote to memory of 976	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 976	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 976	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1712	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1712	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1712	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1732	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1732	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1732	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 772	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 772	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 772	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 588	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 588	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 588	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 892	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 892	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 892	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 652	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 652	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 652	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1396	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1396	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1396	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1408	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1408	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1408	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 980	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 980	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 980	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1140	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1140	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1140	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 780	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 780	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 780	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 868	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 868	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 868	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 864	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 864	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 864	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1188	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1188	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1188	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1556	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1556	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1556	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1068	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1068	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1068	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1500	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1500	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1500	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1728	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1728	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1728	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1216	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1216	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1216	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 2008	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 2008	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 2008	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe
PID 972 wrote to memory of 1984	972	43564aa0-94f8-11ec-9d1d-005056a01a83.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe
"C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\system32\cmd.exe
  cmd /C copy C:\Users\Admin\AppData\Local\Temp\read_me.html C:\Users\Admin\Desktop\read_me.html
  2⤵
  PID:976
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0128e1c0-951f-11ec-ba62-4ea9000dfafc.exe
  2⤵
  PID:1712
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 012a6860-951f-11ec-ba62-4ea9000dfafc.exe
  2⤵
  PID:1732
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 012add90-951f-11ec-ba62-4ea9000dfafc.exe
  2⤵
  PID:772
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 012d9cb0-951f-11ec-ba62-4ea9000dfafc.exe
  2⤵
  PID:588
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 012e11e0-951f-11ec-ba62-4ea9000dfafc.exe
  2⤵
  PID:892
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 012e11e0-951f-11ec-ba63-4ea9000dfafc.exe
  2⤵
  PID:652
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01314630-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:1408
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0132a5c0-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:980
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0130f810-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:1396
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01371290-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:1140
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013787c0-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:780
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013ba670-951f-11ec-ba67-4ea9000dfafc.exe
  2⤵
  PID:868
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013b5850-951f-11ec-ba67-4ea9000dfafc.exe
  2⤵
  PID:864
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013eb3b0-951f-11ec-ba67-4ea9000dfafc.exe
  2⤵
  PID:1188
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba76-4ea9000dfafc.exe
  2⤵
  PID:1556
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba77-4ea9000dfafc.exe
  2⤵
  PID:1068
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba80-4ea9000dfafc.exe
  2⤵
  PID:1500
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014395b0-951f-11ec-ba87-4ea9000dfafc.exe
  2⤵
  PID:1728
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0147db70-951f-11ec-ba8f-4ea9000dfafc.exe
  2⤵
  PID:1216
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0149d740-951f-11ec-baa7-4ea9000dfafc.exe
  2⤵
  PID:2008
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0149fe50-951f-11ec-baa8-4ea9000dfafc.exe
  2⤵
  PID:1984
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014b5de0-951f-11ec-bab6-4ea9000dfafc.exe
  2⤵
  PID:2016
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014bac00-951f-11ec-babe-4ea9000dfafc.exe
  2⤵
  PID:1684
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014bd310-951f-11ec-babe-4ea9000dfafc.exe
  2⤵
  PID:556
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014bfa20-951f-11ec-babf-4ea9000dfafc.exe
  2⤵
  PID:1908
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014d80c0-951f-11ec-badb-4ea9000dfafc.exe
  2⤵
  PID:1740
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014dcee0-951f-11ec-badf-4ea9000dfafc.exe
  2⤵
  PID:1524
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ff1c0-951f-11ec-bafd-4ea9000dfafc.exe
  2⤵
  PID:1152
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 012a8f70-951f-11ec-ba62-4ea9000dfafc.exe
  2⤵
  PID:1972
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0153c250-951f-11ec-bb1d-4ea9000dfafc.exe
  2⤵
  PID:480
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01568170-951f-11ec-bb35-4ea9000dfafc.exe
  2⤵
  PID:1064
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0157e100-951f-11ec-bb36-4ea9000dfafc.exe
  2⤵
  PID:1744
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0158cb60-951f-11ec-bb3e-4ea9000dfafc.exe
  2⤵
  PID:912
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0159b5c0-951f-11ec-bb4c-4ea9000dfafc.exe
  2⤵
  PID:584
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015d3830-951f-11ec-bb63-4ea9000dfafc.exe
  2⤵
  PID:896
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e2290-951f-11ec-bb6c-4ea9000dfafc.exe
  2⤵
  PID:2000
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb7e-4ea9000dfafc.exe
  2⤵
  PID:1980
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb86-4ea9000dfafc.exe
  2⤵
  PID:2004
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0160baa0-951f-11ec-bb96-4ea9000dfafc.exe
  2⤵
  PID:288
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 012a4150-951f-11ec-ba62-4ea9000dfafc.exe
  2⤵
  PID:2016
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0163c7e0-951f-11ec-bba2-4ea9000dfafc.exe
  2⤵
  PID:1740
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0164b240-951f-11ec-bbac-4ea9000dfafc.exe
  2⤵
  PID:1064
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013a9500-951f-11ec-ba65-4ea9000dfafc.exe
  2⤵
  PID:1988
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013d2d10-951f-11ec-ba67-4ea9000dfafc.exe
  2⤵
  PID:1152
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015aa020-951f-11ec-bb51-4ea9000dfafc.exe
  2⤵
  PID:2052
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015cc300-951f-11ec-bb61-4ea9000dfafc.exe
  2⤵
  PID:2064
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0161f320-951f-11ec-bba1-4ea9000dfafc.exe
  2⤵
  PID:2072
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013edac0-951f-11ec-ba68-4ea9000dfafc.exe
  2⤵
  PID:2080
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0163a0d0-951f-11ec-bba2-4ea9000dfafc.exe
  2⤵
  PID:2088
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013f4ff0-951f-11ec-ba69-4ea9000dfafc.exe
  2⤵
  PID:2096
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013f4ff0-951f-11ec-ba68-4ea9000dfafc.exe
  2⤵
  PID:2104
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013f4ff0-951f-11ec-ba6a-4ea9000dfafc.exe
  2⤵
  PID:2112
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013f7700-951f-11ec-ba6a-4ea9000dfafc.exe
  2⤵
  PID:2120
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01401340-951f-11ec-ba6a-4ea9000dfafc.exe
  2⤵
  PID:2128
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0153c250-951f-11ec-bb1e-4ea9000dfafc.exe
  2⤵
  PID:2136
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0140fda0-951f-11ec-ba6a-4ea9000dfafc.exe
  2⤵
  PID:2144
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014124b0-951f-11ec-ba6b-4ea9000dfafc.exe
  2⤵
  PID:2152
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014124b0-951f-11ec-ba6d-4ea9000dfafc.exe
  2⤵
  PID:2160
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014124b0-951f-11ec-ba6c-4ea9000dfafc.exe
  2⤵
  PID:2168
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba6e-4ea9000dfafc.exe
  2⤵
  PID:2176
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba6f-4ea9000dfafc.exe
  2⤵
  PID:2184
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba71-4ea9000dfafc.exe
  2⤵
  PID:2200
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba70-4ea9000dfafc.exe
  2⤵
  PID:2192
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01425d30-951f-11ec-ba6d-4ea9000dfafc.exe
  2⤵
  PID:2208
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba72-4ea9000dfafc.exe
  2⤵
  PID:2216
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba74-4ea9000dfafc.exe
  2⤵
  PID:2224
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba73-4ea9000dfafc.exe
  2⤵
  PID:2232
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba75-4ea9000dfafc.exe
  2⤵
  PID:2240
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba78-4ea9000dfafc.exe
  2⤵
  PID:2248
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba7a-4ea9000dfafc.exe
  2⤵
  PID:2256
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba79-4ea9000dfafc.exe
  2⤵
  PID:2264
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba7c-4ea9000dfafc.exe
  2⤵
  PID:2272
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba7b-4ea9000dfafc.exe
  2⤵
  PID:2280
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba7e-4ea9000dfafc.exe
  2⤵
  PID:2288
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba7d-4ea9000dfafc.exe
  2⤵
  PID:2296
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba7f-4ea9000dfafc.exe
  2⤵
  PID:2304
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba81-4ea9000dfafc.exe
  2⤵
  PID:2312
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba83-4ea9000dfafc.exe
  2⤵
  PID:2320
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba84-4ea9000dfafc.exe
  2⤵
  PID:2328
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba85-4ea9000dfafc.exe
  2⤵
  PID:2336
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba86-4ea9000dfafc.exe
  2⤵
  PID:2344
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba87-4ea9000dfafc.exe
  2⤵
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\01371290-951f-11ec-ba64-4ea9000dfafc.exe
  01371290-951f-11ec-ba64-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Sun\Java\jdk1.7.0_80_x64\sz170800.cab
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01440ae0-951f-11ec-ba89-4ea9000dfafc.exe
  2⤵
  PID:2384
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01454360-951f-11ec-ba8b-4ea9000dfafc.exe
  2⤵
  PID:2404
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0144a720-951f-11ec-ba89-4ea9000dfafc.exe
  2⤵
  PID:2412
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0144a720-951f-11ec-ba8a-4ea9000dfafc.exe
  2⤵
  PID:2420
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01473f30-951f-11ec-ba8d-4ea9000dfafc.exe
  2⤵
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\012a6860-951f-11ec-ba62-4ea9000dfafc.exe
  012a6860-951f-11ec-ba62-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0146a2f0-951f-11ec-ba8c-4ea9000dfafc.exe
  2⤵
  PID:2496
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01482990-951f-11ec-ba92-4ea9000dfafc.exe
  2⤵
  PID:2564
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01482990-951f-11ec-ba91-4ea9000dfafc.exe
  2⤵
  PID:2572
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014877b0-951f-11ec-ba98-4ea9000dfafc.exe
  2⤵
  PID:2588
- C:\Users\Admin\AppData\Local\Temp\0132a5c0-951f-11ec-ba64-4ea9000dfafc.exe
  0132a5c0-951f-11ec-ba64-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Sun\Java\jdk1.7.0_80_x64\jdk1.7.0_80.msi
  2⤵
  PID:2596
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0148c5d0-951f-11ec-ba9a-4ea9000dfafc.exe
  2⤵
  PID:2616
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0148ece0-951f-11ec-ba9d-4ea9000dfafc.exe
  2⤵
  PID:2648
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0148c5d0-951f-11ec-ba9b-4ea9000dfafc.exe
  2⤵
  PID:2656
- C:\Users\Admin\AppData\Local\Temp\013ba670-951f-11ec-ba67-4ea9000dfafc.exe
  013ba670-951f-11ec-ba67-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0148ece0-951f-11ec-ba9c-4ea9000dfafc.exe
  2⤵
  PID:2628
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0148ece0-951f-11ec-ba9f-4ea9000dfafc.exe
  2⤵
  PID:2688
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0148ece0-951f-11ec-baa3-4ea9000dfafc.exe
  2⤵
  PID:2704
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01493b00-951f-11ec-baa5-4ea9000dfafc.exe
  2⤵
  PID:2788
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0149d740-951f-11ec-baa6-4ea9000dfafc.exe
  2⤵
  PID:2812
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01493b00-951f-11ec-baa4-4ea9000dfafc.exe
  2⤵
  PID:2780
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0149fe50-951f-11ec-baa9-4ea9000dfafc.exe
  2⤵
  PID:2828
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0149fe50-951f-11ec-baaa-4ea9000dfafc.exe
  2⤵
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\0130f810-951f-11ec-ba64-4ea9000dfafc.exe
  0130f810-951f-11ec-ba64-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01493b00-951f-11ec-baa3-4ea9000dfafc.exe
  2⤵
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\012add90-951f-11ec-ba62-4ea9000dfafc.exe
  012add90-951f-11ec-ba62-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi"
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014877b0-951f-11ec-ba97-4ea9000dfafc.exe
  2⤵
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\01314630-951f-11ec-ba64-4ea9000dfafc.exe
  01314630-951f-11ec-ba64-4ea9000dfafc.exe "C:\\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01476640-951f-11ec-ba8f-4ea9000dfafc.exe
  2⤵
  PID:2484
- C:\Users\Admin\AppData\Local\Temp\0128e1c0-951f-11ec-ba62-4ea9000dfafc.exe
  0128e1c0-951f-11ec-ba62-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Users\Admin\AppData\Local\Temp\012d9cb0-951f-11ec-ba62-4ea9000dfafc.exe
  012d9cb0-951f-11ec-ba62-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
  2⤵
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\013787c0-951f-11ec-ba64-4ea9000dfafc.exe
  013787c0-951f-11ec-ba64-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\AddUnregister.dll
  2⤵
  PID:2860
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014a2560-951f-11ec-baac-4ea9000dfafc.exe
  2⤵
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba76-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba76-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Users\Admin\AppData\Local\Temp\012e11e0-951f-11ec-ba62-4ea9000dfafc.exe
  012e11e0-951f-11ec-ba62-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml"
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ae8b0-951f-11ec-bab4-4ea9000dfafc.exe
  2⤵
  PID:2076
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ac1a0-951f-11ec-bab1-4ea9000dfafc.exe
  2⤵
  PID:2152
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014bac00-951f-11ec-babd-4ea9000dfafc.exe
  2⤵
  PID:2156
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014b84f0-951f-11ec-babb-4ea9000dfafc.exe
  2⤵
  PID:2148
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014a2560-951f-11ec-baad-4ea9000dfafc.exe
  2⤵
  PID:2140
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014a2560-951f-11ec-baaa-4ea9000dfafc.exe
  2⤵
  PID:2112
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014b5de0-951f-11ec-bab7-4ea9000dfafc.exe
  2⤵
  PID:2132
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014a2560-951f-11ec-baab-4ea9000dfafc.exe
  2⤵
  PID:2104
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014b84f0-951f-11ec-bab9-4ea9000dfafc.exe
  2⤵
  PID:2116
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014b0fc0-951f-11ec-bab6-4ea9000dfafc.exe
  2⤵
  PID:2100
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ae8b0-951f-11ec-bab3-4ea9000dfafc.exe
  2⤵
  PID:2092
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014b0fc0-951f-11ec-bab5-4ea9000dfafc.exe
  2⤵
  PID:2084
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014a9a90-951f-11ec-bab0-4ea9000dfafc.exe
  2⤵
  PID:2068
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014bfa20-951f-11ec-bac1-4ea9000dfafc.exe
  2⤵
  PID:2212
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014b84f0-951f-11ec-baba-4ea9000dfafc.exe
  2⤵
  PID:2236
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014bfa20-951f-11ec-bac3-4ea9000dfafc.exe
  2⤵
  PID:2208
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0145dfa0-951f-11ec-ba8b-4ea9000dfafc.exe
  2⤵
  PID:2216
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c6f50-951f-11ec-bad1-4ea9000dfafc.exe
  2⤵
  PID:2288
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014d0b90-951f-11ec-bad5-4ea9000dfafc.exe
  2⤵
  PID:2304
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014da7d0-951f-11ec-badd-4ea9000dfafc.exe
  2⤵
  PID:2336
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014dcee0-951f-11ec-bade-4ea9000dfafc.exe
  2⤵
  PID:2344
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014dcee0-951f-11ec-bae1-4ea9000dfafc.exe
  2⤵
  PID:2384
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014e4410-951f-11ec-bae4-4ea9000dfafc.exe
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014e4410-951f-11ec-bae1-4ea9000dfafc.exe
  2⤵
  PID:2424
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014e6b20-951f-11ec-bae4-4ea9000dfafc.exe
  2⤵
  PID:2364
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ee050-951f-11ec-bae9-4ea9000dfafc.exe
  2⤵
  PID:2444
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ee050-951f-11ec-baec-4ea9000dfafc.exe
  2⤵
  PID:2484
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ee050-951f-11ec-baea-4ea9000dfafc.exe
  2⤵
  PID:2496
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f0760-951f-11ec-baec-4ea9000dfafc.exe
  2⤵
  PID:2552
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f2e70-951f-11ec-baf1-4ea9000dfafc.exe
  2⤵
  PID:2568
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f0760-951f-11ec-baee-4ea9000dfafc.exe
  2⤵
  PID:2576
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f2e70-951f-11ec-baf3-4ea9000dfafc.exe
  2⤵
  PID:2620
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f7c90-951f-11ec-baf7-4ea9000dfafc.exe
  2⤵
  PID:2616
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f7c90-951f-11ec-baf6-4ea9000dfafc.exe
  2⤵
  PID:2652
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014fcab0-951f-11ec-bafb-4ea9000dfafc.exe
  2⤵
  PID:2600
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014fcab0-951f-11ec-bafa-4ea9000dfafc.exe
  2⤵
  PID:2636
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014fa3a0-951f-11ec-baf8-4ea9000dfafc.exe
  2⤵
  PID:2656
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014fa3a0-951f-11ec-bafa-4ea9000dfafc.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014fcab0-951f-11ec-bafc-4ea9000dfafc.exe
  2⤵
  PID:2704
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015018d0-951f-11ec-bb02-4ea9000dfafc.exe
  2⤵
  PID:2788
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015066f0-951f-11ec-bb05-4ea9000dfafc.exe
  2⤵
  PID:2752
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015066f0-951f-11ec-bb04-4ea9000dfafc.exe
  2⤵
  PID:2820
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015018d0-951f-11ec-baff-4ea9000dfafc.exe
  2⤵
  PID:2808
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01503fe0-951f-11ec-bb03-4ea9000dfafc.exe
  2⤵
  PID:2824
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015066f0-951f-11ec-bb03-4ea9000dfafc.exe
  2⤵
  PID:2832
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0150b510-951f-11ec-bb0d-4ea9000dfafc.exe
  2⤵
  PID:2888
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0150dc20-951f-11ec-bb0e-4ea9000dfafc.exe
  2⤵
  PID:2864
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ac1a0-951f-11ec-bab0-4ea9000dfafc.exe
  2⤵
  PID:2908
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0150b510-951f-11ec-bb0c-4ea9000dfafc.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01523bb0-951f-11ec-bb16-4ea9000dfafc.exe
  2⤵
  PID:2936
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015289d0-951f-11ec-bb16-4ea9000dfafc.exe
  2⤵
  PID:2920
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0152b0e0-951f-11ec-bb18-4ea9000dfafc.exe
  2⤵
  PID:2952
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01539b40-951f-11ec-bb1a-4ea9000dfafc.exe
  2⤵
  PID:2916
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01545e90-951f-11ec-bb21-4ea9000dfafc.exe
  2⤵
  PID:1988
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0154acb0-951f-11ec-bb22-4ea9000dfafc.exe
  2⤵
  PID:2172
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01557000-951f-11ec-bb25-4ea9000dfafc.exe
  2⤵
  PID:3104
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01557000-951f-11ec-bb27-4ea9000dfafc.exe
  2⤵
  PID:3112
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0155be20-951f-11ec-bb28-4ea9000dfafc.exe
  2⤵
  PID:3136
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01560c40-951f-11ec-bb2b-4ea9000dfafc.exe
  2⤵
  PID:3144
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01560c40-951f-11ec-bb2d-4ea9000dfafc.exe
  2⤵
  PID:3152
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01560c40-951f-11ec-bb2f-4ea9000dfafc.exe
  2⤵
  PID:3160
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0144f540-951f-11ec-ba8a-4ea9000dfafc.exe
  2⤵
  PID:3168
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0149d740-951f-11ec-baa5-4ea9000dfafc.exe
  2⤵
  PID:3176
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0155e530-951f-11ec-bb29-4ea9000dfafc.exe
  2⤵
  PID:3128
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01576bd0-951f-11ec-bb36-4ea9000dfafc.exe
  2⤵
  PID:3208
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014e9230-951f-11ec-bae4-4ea9000dfafc.exe
  2⤵
  PID:3248
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0158cb60-951f-11ec-bb3f-4ea9000dfafc.exe
  2⤵
  PID:3256
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0159b5c0-951f-11ec-bb4a-4ea9000dfafc.exe
  2⤵
  PID:3312
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015aa020-951f-11ec-bb54-4ea9000dfafc.exe
  2⤵
  PID:3384
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015b8a80-951f-11ec-bb5b-4ea9000dfafc.exe
  2⤵
  PID:3448
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f2e70-951f-11ec-baf2-4ea9000dfafc.exe
  2⤵
  PID:3496
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015dad60-951f-11ec-bb67-4ea9000dfafc.exe
  2⤵
  PID:3544
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e2290-951f-11ec-bb6b-4ea9000dfafc.exe
  2⤵
  PID:3592
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb72-4ea9000dfafc.exe
  2⤵
  PID:3672
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015aa020-951f-11ec-bb53-4ea9000dfafc.exe
  2⤵
  PID:3736
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb7f-4ea9000dfafc.exe
  2⤵
  PID:3784
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb83-4ea9000dfafc.exe
  2⤵
  PID:3832
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015f3400-951f-11ec-bb8f-4ea9000dfafc.exe
  2⤵
  PID:3888
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015f3400-951f-11ec-bb90-4ea9000dfafc.exe
  2⤵
  PID:3948
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015c4dd0-951f-11ec-bb60-4ea9000dfafc.exe
  2⤵
  PID:4008
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0161a500-951f-11ec-bb99-4ea9000dfafc.exe
  2⤵
  PID:4048
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0161a500-951f-11ec-bb9b-4ea9000dfafc.exe
  2⤵
  PID:4056
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0161a500-951f-11ec-bb9d-4ea9000dfafc.exe
  2⤵
  PID:4080
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0161a500-951f-11ec-bba0-4ea9000dfafc.exe
  2⤵
  PID:4112
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0161cc10-951f-11ec-bba0-4ea9000dfafc.exe
  2⤵
  PID:4120
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0162dd80-951f-11ec-bba1-4ea9000dfafc.exe
  2⤵
  PID:4160
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0161a500-951f-11ec-bb9e-4ea9000dfafc.exe
  2⤵
  PID:4192
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01632ba0-951f-11ec-bba2-4ea9000dfafc.exe
  2⤵
  PID:4228
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01323090-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:4244
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01364f40-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:4276
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0134efb0-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:4316
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01641600-951f-11ec-bba5-4ea9000dfafc.exe
  2⤵
  PID:4336
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01643d10-951f-11ec-bba8-4ea9000dfafc.exe
  2⤵
  PID:4360
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01646420-951f-11ec-bba9-4ea9000dfafc.exe
  2⤵
  PID:4384
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01648b30-951f-11ec-bbaa-4ea9000dfafc.exe
  2⤵
  PID:4420
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01648b30-951f-11ec-bbac-4ea9000dfafc.exe
  2⤵
  PID:4432
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0138e750-951f-11ec-ba65-4ea9000dfafc.exe
  2⤵
  PID:4468
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01650060-951f-11ec-bbae-4ea9000dfafc.exe
  2⤵
  PID:4504
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01440ae0-951f-11ec-ba87-4ea9000dfafc.exe
  2⤵
  PID:4540
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01568170-951f-11ec-bb2f-4ea9000dfafc.exe
  2⤵
  PID:4564
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015214a0-951f-11ec-bb15-4ea9000dfafc.exe
  2⤵
  PID:4592
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014d59b0-951f-11ec-bad6-4ea9000dfafc.exe
  2⤵
  PID:4624
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0148ece0-951f-11ec-baa1-4ea9000dfafc.exe
  2⤵
  PID:4648
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f2e70-951f-11ec-baf0-4ea9000dfafc.exe
  2⤵
  PID:4672
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015aee40-951f-11ec-bb56-4ea9000dfafc.exe
  2⤵
  PID:4712
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015b6370-951f-11ec-bb5a-4ea9000dfafc.exe
  2⤵
  PID:4736
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015b6370-951f-11ec-bb59-4ea9000dfafc.exe
  2⤵
  PID:4760
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb7b-4ea9000dfafc.exe
  2⤵
  PID:4792
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0158a450-951f-11ec-bb3c-4ea9000dfafc.exe
  2⤵
  PID:4816
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c4840-951f-11ec-bac8-4ea9000dfafc.exe
  2⤵
  PID:4840
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01568170-951f-11ec-bb31-4ea9000dfafc.exe
  2⤵
  PID:4856
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ee050-951f-11ec-bae7-4ea9000dfafc.exe
  2⤵
  PID:4876
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014bac00-951f-11ec-babb-4ea9000dfafc.exe
  2⤵
  PID:4904
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0159b5c0-951f-11ec-bb49-4ea9000dfafc.exe
  2⤵
  PID:4940
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ff1c0-951f-11ec-bafc-4ea9000dfafc.exe
  2⤵
  PID:4972
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ae8b0-951f-11ec-bab2-4ea9000dfafc.exe
  2⤵
  PID:5008
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01591980-951f-11ec-bb44-4ea9000dfafc.exe
  2⤵
  PID:5032
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014bac00-951f-11ec-babc-4ea9000dfafc.exe
  2⤵
  PID:5068
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014a9a90-951f-11ec-baae-4ea9000dfafc.exe
  2⤵
  PID:5108
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01591980-951f-11ec-bb45-4ea9000dfafc.exe
  2⤵
  PID:5144
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015a7910-951f-11ec-bb4f-4ea9000dfafc.exe
  2⤵
  PID:5172
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01510330-951f-11ec-bb0f-4ea9000dfafc.exe
  2⤵
  PID:5208
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015aa020-951f-11ec-bb50-4ea9000dfafc.exe
  2⤵
  PID:5240
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e97c0-951f-11ec-bb8f-4ea9000dfafc.exe
  2⤵
  PID:5276
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0152d7f0-951f-11ec-bb18-4ea9000dfafc.exe
  2⤵
  PID:5300
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01541070-951f-11ec-bb1e-4ea9000dfafc.exe
  2⤵
  PID:5324
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ee050-951f-11ec-bae8-4ea9000dfafc.exe
  2⤵
  PID:5340
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01476640-951f-11ec-ba8e-4ea9000dfafc.exe
  2⤵
  PID:5368
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01609390-951f-11ec-bb93-4ea9000dfafc.exe
  2⤵
  PID:5400
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb75-4ea9000dfafc.exe
  2⤵
  PID:5408
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015ff750-951f-11ec-bb91-4ea9000dfafc.exe
  2⤵
  PID:5432
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01568170-951f-11ec-bb30-4ea9000dfafc.exe
  2⤵
  PID:5456
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0150b510-951f-11ec-bb0a-4ea9000dfafc.exe
  2⤵
  PID:5496
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c4840-951f-11ec-bac9-4ea9000dfafc.exe
  2⤵
  PID:5528
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0160e1b0-951f-11ec-bb97-4ea9000dfafc.exe
  2⤵
  PID:5540
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01512a40-951f-11ec-bb0f-4ea9000dfafc.exe
  2⤵
  PID:5580
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015c4dd0-951f-11ec-bb5e-4ea9000dfafc.exe
  2⤵
  PID:5600
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0160baa0-951f-11ec-bb94-4ea9000dfafc.exe
  2⤵
  PID:5612
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0153c250-951f-11ec-bb1b-4ea9000dfafc.exe
  2⤵
  PID:5648
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01648b30-951f-11ec-bbab-4ea9000dfafc.exe
  2⤵
  PID:5684
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01652770-951f-11ec-bbae-4ea9000dfafc.exe
  2⤵
  PID:5720
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01654e80-951f-11ec-bbaf-4ea9000dfafc.exe
  2⤵
  PID:5760
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01657590-951f-11ec-bbaf-4ea9000dfafc.exe
  2⤵
  PID:5784
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013edac0-951f-11ec-ba67-4ea9000dfafc.exe
  2⤵
  PID:5804
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01508e00-951f-11ec-bb08-4ea9000dfafc.exe
  2⤵
  PID:5828
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01657590-951f-11ec-bbb0-4ea9000dfafc.exe
  2⤵
  PID:5856
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f2e70-951f-11ec-baee-4ea9000dfafc.exe
  2⤵
  PID:5876
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0148c5d0-951f-11ec-ba98-4ea9000dfafc.exe
  2⤵
  PID:5924
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01557000-951f-11ec-bb26-4ea9000dfafc.exe
  2⤵
  PID:5948
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01541070-951f-11ec-bb21-4ea9000dfafc.exe
  2⤵
  PID:5984
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0158f270-951f-11ec-bb40-4ea9000dfafc.exe
  2⤵
  PID:6000
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0154d3c0-951f-11ec-bb24-4ea9000dfafc.exe
  2⤵
  PID:6020
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014431f0-951f-11ec-ba89-4ea9000dfafc.exe
  2⤵
  PID:6036
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01557000-951f-11ec-bb28-4ea9000dfafc.exe
  2⤵
  PID:6044
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0144f540-951f-11ec-ba8b-4ea9000dfafc.exe
  2⤵
  PID:6068
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0158a450-951f-11ec-bb3d-4ea9000dfafc.exe
  2⤵
  PID:6080
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01471820-951f-11ec-ba8d-4ea9000dfafc.exe
  2⤵
  PID:6104
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01467be0-951f-11ec-ba8b-4ea9000dfafc.exe
  2⤵
  PID:6148
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0158a450-951f-11ec-bb3a-4ea9000dfafc.exe
  2⤵
  PID:6180
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01480280-951f-11ec-ba90-4ea9000dfafc.exe
  2⤵
  PID:6204
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0147db70-951f-11ec-ba90-4ea9000dfafc.exe
  2⤵
  PID:6240
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb8d-4ea9000dfafc.exe
  2⤵
  PID:6280
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01612fd0-951f-11ec-bb99-4ea9000dfafc.exe
  2⤵
  PID:6300
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01496210-951f-11ec-baa5-4ea9000dfafc.exe
  2⤵
  PID:6324
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014a4c70-951f-11ec-baae-4ea9000dfafc.exe
  2⤵
  PID:6352
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c6f50-951f-11ec-bacf-4ea9000dfafc.exe
  2⤵
  PID:6388
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0148c5d0-951f-11ec-ba99-4ea9000dfafc.exe
  2⤵
  PID:6424
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014b0fc0-951f-11ec-bab4-4ea9000dfafc.exe
  2⤵
  PID:6460
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014b5de0-951f-11ec-bab9-4ea9000dfafc.exe
  2⤵
  PID:6496
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014b5de0-951f-11ec-bab8-4ea9000dfafc.exe
  2⤵
  PID:6484
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015d3830-951f-11ec-bb61-4ea9000dfafc.exe
  2⤵
  PID:6472
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01508e00-951f-11ec-bb0a-4ea9000dfafc.exe
  2⤵
  PID:6448
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015ac730-951f-11ec-bb55-4ea9000dfafc.exe
  2⤵
  PID:6436
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0158a450-951f-11ec-bb38-4ea9000dfafc.exe
  2⤵
  PID:6412
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01650060-951f-11ec-bbad-4ea9000dfafc.exe
  2⤵
  PID:6400
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0156cf90-951f-11ec-bb36-4ea9000dfafc.exe
  2⤵
  PID:6376
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013b5850-951f-11ec-ba66-4ea9000dfafc.exe
  2⤵
  PID:6364
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0130f810-951f-11ec-ba63-4ea9000dfafc.exe
  2⤵
  PID:6340
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0160e1b0-951f-11ec-bb98-4ea9000dfafc.exe
  2⤵
  PID:6316
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015ff750-951f-11ec-bb92-4ea9000dfafc.exe
  2⤵
  PID:6288
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014877b0-951f-11ec-ba93-4ea9000dfafc.exe
  2⤵
  PID:6264
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb8c-4ea9000dfafc.exe
  2⤵
  PID:6256
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01473f30-951f-11ec-ba8e-4ea9000dfafc.exe
  2⤵
  PID:6228
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015c74e0-951f-11ec-bb60-4ea9000dfafc.exe
  2⤵
  PID:6216
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01480280-951f-11ec-ba91-4ea9000dfafc.exe
  2⤵
  PID:6196
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0146ca00-951f-11ec-ba8d-4ea9000dfafc.exe
  2⤵
  PID:6168
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015c26c0-951f-11ec-bb5e-4ea9000dfafc.exe
  2⤵
  PID:6156
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01560c40-951f-11ec-bb2a-4ea9000dfafc.exe
  2⤵
  PID:6128
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0146ca00-951f-11ec-ba8c-4ea9000dfafc.exe
  2⤵
  PID:6116
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01582f20-951f-11ec-bb37-4ea9000dfafc.exe
  2⤵
  PID:6096
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014dcee0-951f-11ec-bae0-4ea9000dfafc.exe
  2⤵
  PID:6060
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01432080-951f-11ec-ba87-4ea9000dfafc.exe
  2⤵
  PID:6008
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01519f70-951f-11ec-bb14-4ea9000dfafc.exe
  2⤵
  PID:5976
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0140fda0-951f-11ec-ba6b-4ea9000dfafc.exe
  2⤵
  PID:5960
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01423620-951f-11ec-ba6d-4ea9000dfafc.exe
  2⤵
  PID:5940
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01519f70-951f-11ec-bb13-4ea9000dfafc.exe
  2⤵
  PID:5912
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c9660-951f-11ec-bad3-4ea9000dfafc.exe
  2⤵
  PID:5904
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01425d30-951f-11ec-ba6e-4ea9000dfafc.exe
  2⤵
  PID:5888
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c9660-951f-11ec-bad4-4ea9000dfafc.exe
  2⤵
  PID:5864
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01414bc0-951f-11ec-ba6d-4ea9000dfafc.exe
  2⤵
  PID:5840
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014a4c70-951f-11ec-baad-4ea9000dfafc.exe
  2⤵
  PID:5816
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013df060-951f-11ec-ba67-4ea9000dfafc.exe
  2⤵
  PID:5796
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01541070-951f-11ec-bb20-4ea9000dfafc.exe
  2⤵
  PID:5768
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01654e80-951f-11ec-bbae-4ea9000dfafc.exe
  2⤵
  PID:5744
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01541070-951f-11ec-bb1f-4ea9000dfafc.exe
  2⤵
  PID:5732
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013b5850-951f-11ec-ba65-4ea9000dfafc.exe
  2⤵
  PID:5712
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0164d950-951f-11ec-bbac-4ea9000dfafc.exe
  2⤵
  PID:5696
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01557000-951f-11ec-bb24-4ea9000dfafc.exe
  2⤵
  PID:5672
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01369d60-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:5664
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0161a500-951f-11ec-bb9f-4ea9000dfafc.exe
  2⤵
  PID:5636
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01440ae0-951f-11ec-ba88-4ea9000dfafc.exe
  2⤵
  PID:5624
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015b8a80-951f-11ec-bb5a-4ea9000dfafc.exe
  2⤵
  PID:5588
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0160e1b0-951f-11ec-bb96-4ea9000dfafc.exe
  2⤵
  PID:5564
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0158a450-951f-11ec-bb39-4ea9000dfafc.exe
  2⤵
  PID:5552
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015018d0-951f-11ec-bb00-4ea9000dfafc.exe
  2⤵
  PID:5520
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015b8a80-951f-11ec-bb5c-4ea9000dfafc.exe
  2⤵
  PID:5504
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015ac730-951f-11ec-bb54-4ea9000dfafc.exe
  2⤵
  PID:5480
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015b8a80-951f-11ec-bb5d-4ea9000dfafc.exe
  2⤵
  PID:5468
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01517860-951f-11ec-bb10-4ea9000dfafc.exe
  2⤵
  PID:5444
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014877b0-951f-11ec-ba94-4ea9000dfafc.exe
  2⤵
  PID:5420
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01517860-951f-11ec-bb12-4ea9000dfafc.exe
  2⤵
  PID:5392
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e2290-951f-11ec-bb6a-4ea9000dfafc.exe
  2⤵
  PID:5384
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb89-4ea9000dfafc.exe
  2⤵
  PID:5348
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015d3830-951f-11ec-bb62-4ea9000dfafc.exe
  2⤵
  PID:5312
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014e4410-951f-11ec-bae3-4ea9000dfafc.exe
  2⤵
  PID:5292
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb8a-4ea9000dfafc.exe
  2⤵
  PID:5268
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01517860-951f-11ec-bb11-4ea9000dfafc.exe
  2⤵
  PID:5252
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01646420-951f-11ec-bba8-4ea9000dfafc.exe
  2⤵
  PID:5232
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01517860-951f-11ec-bb0f-4ea9000dfafc.exe
  2⤵
  PID:5216
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0148ece0-951f-11ec-baa0-4ea9000dfafc.exe
  2⤵
  PID:5192
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01382400-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:5180
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c6f50-951f-11ec-bacc-4ea9000dfafc.exe
  2⤵
  PID:5156
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0148ece0-951f-11ec-baa2-4ea9000dfafc.exe
  2⤵
  PID:5132
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb80-4ea9000dfafc.exe
  2⤵
  PID:5116
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014d80c0-951f-11ec-bad9-4ea9000dfafc.exe
  2⤵
  PID:5092
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014e4410-951f-11ec-bae2-4ea9000dfafc.exe
  2⤵
  PID:5080
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01568170-951f-11ec-bb34-4ea9000dfafc.exe
  2⤵
  PID:5060
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014877b0-951f-11ec-ba92-4ea9000dfafc.exe
  2⤵
  PID:5044
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01560c40-951f-11ec-bb2c-4ea9000dfafc.exe
  2⤵
  PID:5024
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0158a450-951f-11ec-bb3b-4ea9000dfafc.exe
  2⤵
  PID:5000
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb87-4ea9000dfafc.exe
  2⤵
  PID:4984
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014bfa20-951f-11ec-bac0-4ea9000dfafc.exe
  2⤵
  PID:4964
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c2130-951f-11ec-bac4-4ea9000dfafc.exe
  2⤵
  PID:4948
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0152d7f0-951f-11ec-bb19-4ea9000dfafc.exe
  2⤵
  PID:4924
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015d5f40-951f-11ec-bb63-4ea9000dfafc.exe
  2⤵
  PID:4912
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb7d-4ea9000dfafc.exe
  2⤵
  PID:4888
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb81-4ea9000dfafc.exe
  2⤵
  PID:4864
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0158cb60-951f-11ec-bb3d-4ea9000dfafc.exe
  2⤵
  PID:4828
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c4840-951f-11ec-bac7-4ea9000dfafc.exe
  2⤵
  PID:4808
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb7a-4ea9000dfafc.exe
  2⤵
  PID:4780
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014877b0-951f-11ec-ba96-4ea9000dfafc.exe
  2⤵
  PID:4768
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014d80c0-951f-11ec-bada-4ea9000dfafc.exe
  2⤵
  PID:4744
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015b3c60-951f-11ec-bb57-4ea9000dfafc.exe
  2⤵
  PID:4720
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0149d740-951f-11ec-baa8-4ea9000dfafc.exe
  2⤵
  PID:4696
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015ac730-951f-11ec-bb56-4ea9000dfafc.exe
  2⤵
  PID:4688
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014eb940-951f-11ec-bae7-4ea9000dfafc.exe
  2⤵
  PID:4660
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c2130-951f-11ec-bac5-4ea9000dfafc.exe
  2⤵
  PID:4640
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014877b0-951f-11ec-ba95-4ea9000dfafc.exe
  2⤵
  PID:4616
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015a7910-951f-11ec-bb4e-4ea9000dfafc.exe
  2⤵
  PID:4600
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0142ab50-951f-11ec-ba82-4ea9000dfafc.exe
  2⤵
  PID:4576
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f2e70-951f-11ec-baef-4ea9000dfafc.exe
  2⤵
  PID:4552
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0145b890-951f-11ec-ba8b-4ea9000dfafc.exe
  2⤵
  PID:4528
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 013a6df0-951f-11ec-ba65-4ea9000dfafc.exe
  2⤵
  PID:4516
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0164d950-951f-11ec-bbad-4ea9000dfafc.exe
  2⤵
  PID:4492
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0138c040-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:4480
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01646420-951f-11ec-bbaa-4ea9000dfafc.exe
  2⤵
  PID:4460
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0136eb80-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:4444
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01345370-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:4408
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01362830-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:4396
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01641600-951f-11ec-bba8-4ea9000dfafc.exe
  2⤵
  PID:4376
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01641600-951f-11ec-bba7-4ea9000dfafc.exe
  2⤵
  PID:4348
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01641600-951f-11ec-bba6-4ea9000dfafc.exe
  2⤵
  PID:4324
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0163eef0-951f-11ec-bba5-4ea9000dfafc.exe
  2⤵
  PID:4300
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0163eef0-951f-11ec-bba4-4ea9000dfafc.exe
  2⤵
  PID:4288
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0163eef0-951f-11ec-bba3-4ea9000dfafc.exe
  2⤵
  PID:4268
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0163eef0-951f-11ec-bba2-4ea9000dfafc.exe
  2⤵
  PID:4252
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0161cc10-951f-11ec-bba1-4ea9000dfafc.exe
  2⤵
  PID:4220
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01319450-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:4204
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01632ba0-951f-11ec-bba1-4ea9000dfafc.exe
  2⤵
  PID:4184
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 012eae20-951f-11ec-ba63-4ea9000dfafc.exe
  2⤵
  PID:4168
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01626850-951f-11ec-bba1-4ea9000dfafc.exe
  2⤵
  PID:4144
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 012e38f0-951f-11ec-ba63-4ea9000dfafc.exe
  2⤵
  PID:4136
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0161a500-951f-11ec-bb9c-4ea9000dfafc.exe
  2⤵
  PID:4092
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0161a500-951f-11ec-bb9a-4ea9000dfafc.exe
  2⤵
  PID:4068
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0160baa0-951f-11ec-bb95-4ea9000dfafc.exe
  2⤵
  PID:4032
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01612fd0-951f-11ec-bb98-4ea9000dfafc.exe
  2⤵
  PID:4024
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb88-4ea9000dfafc.exe
  2⤵
  PID:3996
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0160baa0-951f-11ec-bb93-4ea9000dfafc.exe
  2⤵
  PID:3988
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01609390-951f-11ec-bb92-4ea9000dfafc.exe
  2⤵
  PID:3976
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015fd040-951f-11ec-bb91-4ea9000dfafc.exe
  2⤵
  PID:3960
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01606c80-951f-11ec-bb92-4ea9000dfafc.exe
  2⤵
  PID:3936
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015cc300-951f-11ec-bb60-4ea9000dfafc.exe
  2⤵
  PID:3924
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb8b-4ea9000dfafc.exe
  2⤵
  PID:3916
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0155e530-951f-11ec-bb2a-4ea9000dfafc.exe
  2⤵
  PID:3904
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e97c0-951f-11ec-bb8e-4ea9000dfafc.exe
  2⤵
  PID:3876
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015a7910-951f-11ec-bb50-4ea9000dfafc.exe
  2⤵
  PID:3864
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e97c0-951f-11ec-bb8d-4ea9000dfafc.exe
  2⤵
  PID:3852
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e2290-951f-11ec-bb69-4ea9000dfafc.exe
  2⤵
  PID:3844
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb82-4ea9000dfafc.exe
  2⤵
  PID:3816
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb85-4ea9000dfafc.exe
  2⤵
  PID:3804
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb84-4ea9000dfafc.exe
  2⤵
  PID:3792
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0148ece0-951f-11ec-ba9e-4ea9000dfafc.exe
  2⤵
  PID:3768
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb6d-4ea9000dfafc.exe
  2⤵
  PID:3756
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0138c040-951f-11ec-ba65-4ea9000dfafc.exe
  2⤵
  PID:3748
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb79-4ea9000dfafc.exe
  2⤵
  PID:3720
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb78-4ea9000dfafc.exe
  2⤵
  PID:3708
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb76-4ea9000dfafc.exe
  2⤵
  PID:3696
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb74-4ea9000dfafc.exe
  2⤵
  PID:3688
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015066f0-951f-11ec-bb06-4ea9000dfafc.exe
  2⤵
  PID:3660
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb70-4ea9000dfafc.exe
  2⤵
  PID:3652
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb71-4ea9000dfafc.exe
  2⤵
  PID:3640
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb6e-4ea9000dfafc.exe
  2⤵
  PID:3624
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb6f-4ea9000dfafc.exe
  2⤵
  PID:3612
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb6c-4ea9000dfafc.exe
  2⤵
  PID:3604
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015dd470-951f-11ec-bb68-4ea9000dfafc.exe
  2⤵
  PID:3576
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015dfb80-951f-11ec-bb69-4ea9000dfafc.exe
  2⤵
  PID:3564
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015dfb80-951f-11ec-bb68-4ea9000dfafc.exe
  2⤵
  PID:3556
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015dd470-951f-11ec-bb67-4ea9000dfafc.exe
  2⤵
  PID:3528
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015dad60-951f-11ec-bb66-4ea9000dfafc.exe
  2⤵
  PID:3516
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015d5f40-951f-11ec-bb66-4ea9000dfafc.exe
  2⤵
  PID:3504
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015d5f40-951f-11ec-bb65-4ea9000dfafc.exe
  2⤵
  PID:3480
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01591980-951f-11ec-bb42-4ea9000dfafc.exe
  2⤵
  PID:3468
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015d5f40-951f-11ec-bb64-4ea9000dfafc.exe
  2⤵
  PID:3460
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015c4dd0-951f-11ec-bb5f-4ea9000dfafc.exe
  2⤵
  PID:3432
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015b8a80-951f-11ec-bb5e-4ea9000dfafc.exe
  2⤵
  PID:3420
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015b6370-951f-11ec-bb58-4ea9000dfafc.exe
  2⤵
  PID:3408
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015b3c60-951f-11ec-bb58-4ea9000dfafc.exe
  2⤵
  PID:3400
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015aa020-951f-11ec-bb52-4ea9000dfafc.exe
  2⤵
  PID:3376
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015a5200-951f-11ec-bb4e-4ea9000dfafc.exe
  2⤵
  PID:3368
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01598eb0-951f-11ec-bb48-4ea9000dfafc.exe
  2⤵
  PID:3360
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015a2af0-951f-11ec-bb4e-4ea9000dfafc.exe
  2⤵
  PID:3352
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015a03e0-951f-11ec-bb4d-4ea9000dfafc.exe
  2⤵
  PID:3344
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0159b5c0-951f-11ec-bb4d-4ea9000dfafc.exe
  2⤵
  PID:3336
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01598eb0-951f-11ec-bb49-4ea9000dfafc.exe
  2⤵
  PID:3328
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01591980-951f-11ec-bb46-4ea9000dfafc.exe
  2⤵
  PID:3320
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01598eb0-951f-11ec-bb47-4ea9000dfafc.exe
  2⤵
  PID:3304
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01594090-951f-11ec-bb47-4ea9000dfafc.exe
  2⤵
  PID:3296
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01594090-951f-11ec-bb46-4ea9000dfafc.exe
  2⤵
  PID:3288
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0158f270-951f-11ec-bb41-4ea9000dfafc.exe
  2⤵
  PID:3280
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0158f270-951f-11ec-bb42-4ea9000dfafc.exe
  2⤵
  PID:3272
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01591980-951f-11ec-bb43-4ea9000dfafc.exe
  2⤵
  PID:3264
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01582f20-951f-11ec-bb38-4ea9000dfafc.exe
  2⤵
  PID:3240
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014913f0-951f-11ec-baa3-4ea9000dfafc.exe
  2⤵
  PID:3232
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0156f6a0-951f-11ec-bb36-4ea9000dfafc.exe
  2⤵
  PID:3224
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01580810-951f-11ec-bb36-4ea9000dfafc.exe
  2⤵
  PID:3216
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0157b9f0-951f-11ec-bb36-4ea9000dfafc.exe
  2⤵
  PID:3200
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01568170-951f-11ec-bb33-4ea9000dfafc.exe
  2⤵
  PID:3192
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01563350-951f-11ec-bb2f-4ea9000dfafc.exe
  2⤵
  PID:3184
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01559710-951f-11ec-bb28-4ea9000dfafc.exe
  2⤵
  PID:3120
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015548f0-951f-11ec-bb24-4ea9000dfafc.exe
  2⤵
  PID:3096
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0154d3c0-951f-11ec-bb23-4ea9000dfafc.exe
  2⤵
  PID:3088
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0154acb0-951f-11ec-bb23-4ea9000dfafc.exe
  2⤵
  PID:3080
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015485a0-951f-11ec-bb22-4ea9000dfafc.exe
  2⤵
  PID:2168
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015485a0-951f-11ec-bb21-4ea9000dfafc.exe
  2⤵
  PID:2232
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0152d7f0-951f-11ec-bb1a-4ea9000dfafc.exe
  2⤵
  PID:3016
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0153c250-951f-11ec-bb1c-4ea9000dfafc.exe
  2⤵
  PID:3020
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0152b0e0-951f-11ec-bb17-4ea9000dfafc.exe
  2⤵
  PID:2056
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015289d0-951f-11ec-bb17-4ea9000dfafc.exe
  2⤵
  PID:2052
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c4840-951f-11ec-bacb-4ea9000dfafc.exe
  2⤵
  PID:3024
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ff1c0-951f-11ec-bafe-4ea9000dfafc.exe
  2⤵
  PID:3056
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01517860-951f-11ec-bb13-4ea9000dfafc.exe
  2⤵
  PID:3048
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c9660-951f-11ec-bad1-4ea9000dfafc.exe
  2⤵
  PID:2940
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0150dc20-951f-11ec-bb0f-4ea9000dfafc.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01508e00-951f-11ec-bb09-4ea9000dfafc.exe
  2⤵
  PID:2884
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0150b510-951f-11ec-bb0b-4ea9000dfafc.exe
  2⤵
  PID:2828
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01508e00-951f-11ec-bb07-4ea9000dfafc.exe
  2⤵
  PID:2768
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015066f0-951f-11ec-bb07-4ea9000dfafc.exe
  2⤵
  PID:2720
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01503fe0-951f-11ec-bb02-4ea9000dfafc.exe
  2⤵
  PID:2780
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015018d0-951f-11ec-bb01-4ea9000dfafc.exe
  2⤵
  PID:2736
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ff1c0-951f-11ec-baff-4ea9000dfafc.exe
  2⤵
  PID:2740
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f7c90-951f-11ec-baf8-4ea9000dfafc.exe
  2⤵
  PID:2632
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f5580-951f-11ec-baf6-4ea9000dfafc.exe
  2⤵
  PID:2504
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f5580-951f-11ec-baf5-4ea9000dfafc.exe
  2⤵
  PID:2512
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f5580-951f-11ec-baf4-4ea9000dfafc.exe
  2⤵
  PID:2588
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f5580-951f-11ec-baf3-4ea9000dfafc.exe
  2⤵
  PID:2592
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014f0760-951f-11ec-baed-4ea9000dfafc.exe
  2⤵
  PID:2532
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ee050-951f-11ec-baeb-4ea9000dfafc.exe
  2⤵
  PID:2500
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014eb940-951f-11ec-bae6-4ea9000dfafc.exe
  2⤵
  PID:2508
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014e9230-951f-11ec-bae5-4ea9000dfafc.exe
  2⤵
  PID:2432
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014e9230-951f-11ec-bae6-4ea9000dfafc.exe
  2⤵
  PID:2396
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014d80c0-951f-11ec-badd-4ea9000dfafc.exe
  2⤵
  PID:2416
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014df5f0-951f-11ec-bae1-4ea9000dfafc.exe
  2⤵
  PID:2352
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014da7d0-951f-11ec-bade-4ea9000dfafc.exe
  2⤵
  PID:2320
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014d59b0-951f-11ec-bad5-4ea9000dfafc.exe
  2⤵
  PID:2324
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014d59b0-951f-11ec-bad9-4ea9000dfafc.exe
  2⤵
  PID:2312
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c9660-951f-11ec-bad2-4ea9000dfafc.exe
  2⤵
  PID:2280
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014d0b90-951f-11ec-bad4-4ea9000dfafc.exe
  2⤵
  PID:2300
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014d32a0-951f-11ec-bad5-4ea9000dfafc.exe
  2⤵
  PID:2256
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c6f50-951f-11ec-bace-4ea9000dfafc.exe
  2⤵
  PID:2284
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c4840-951f-11ec-bacc-4ea9000dfafc.exe
  2⤵
  PID:2268
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c4840-951f-11ec-bac6-4ea9000dfafc.exe
  2⤵
  PID:2248
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c2130-951f-11ec-bac6-4ea9000dfafc.exe
  2⤵
  PID:2192
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c2130-951f-11ec-bac3-4ea9000dfafc.exe
  2⤵
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba77-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba77-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\UnprotectGroup.css
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014a9a90-951f-11ec-baaf-4ea9000dfafc.exe
  2⤵
  PID:288
- C:\Users\Admin\AppData\Local\Temp\013b5850-951f-11ec-ba67-4ea9000dfafc.exe
  013b5850-951f-11ec-ba67-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\ExportResolve.xlsx
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Users\Admin\AppData\Local\Temp\013eb3b0-951f-11ec-ba67-4ea9000dfafc.exe
  013eb3b0-951f-11ec-ba67-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\GrantCheckpoint.html
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\012e11e0-951f-11ec-ba63-4ea9000dfafc.exe
  012e11e0-951f-11ec-ba63-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi"
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\014395b0-951f-11ec-ba87-4ea9000dfafc.exe
  014395b0-951f-11ec-ba87-4ea9000dfafc.exe C:\\Users\Admin\Documents\Opened.docx
  2⤵
  - Executes dropped EXE
  PID:6508
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014d59b0-951f-11ec-bad7-4ea9000dfafc.exe
  2⤵
  PID:6524
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba80-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba80-4ea9000dfafc.exe C:\\Users\Admin\Desktop\TestFormat.jpg
  2⤵
  - Executes dropped EXE
  PID:6532
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0150dc20-951f-11ec-bb0d-4ea9000dfafc.exe
  2⤵
  PID:6636
- C:\Users\Admin\AppData\Local\Temp\0147db70-951f-11ec-ba8f-4ea9000dfafc.exe
  0147db70-951f-11ec-ba8f-4ea9000dfafc.exe "C:\\Users\Admin\Favorites\Links\Suggested Sites.url"
  2⤵
  - Executes dropped EXE
  PID:6660
- C:\Users\Admin\AppData\Local\Temp\015e2290-951f-11ec-bb6c-4ea9000dfafc.exe
  015e2290-951f-11ec-bb6c-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
  2⤵
  - Executes dropped EXE
  PID:6716
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0146a2f0-951f-11ec-ba8b-4ea9000dfafc.exe
  2⤵
  PID:6724
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014bfa20-951f-11ec-babe-4ea9000dfafc.exe
  2⤵
  PID:6732
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01568170-951f-11ec-bb36-4ea9000dfafc.exe
  2⤵
  PID:6740
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0148ece0-951f-11ec-ba9b-4ea9000dfafc.exe
  2⤵
  PID:6748
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01582f20-951f-11ec-bb36-4ea9000dfafc.exe
  2⤵
  PID:6768
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015a2af0-951f-11ec-bb4d-4ea9000dfafc.exe
  2⤵
  PID:6776
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb73-4ea9000dfafc.exe
  2⤵
  PID:6784
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014d80c0-951f-11ec-badc-4ea9000dfafc.exe
  2⤵
  PID:6792
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015aee40-951f-11ec-bb57-4ea9000dfafc.exe
  2⤵
  PID:6800
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015bb190-951f-11ec-bb5e-4ea9000dfafc.exe
  2⤵
  PID:6808
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0159b5c0-951f-11ec-bb4b-4ea9000dfafc.exe
  2⤵
  PID:6816
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014ae8b0-951f-11ec-bab1-4ea9000dfafc.exe
  2⤵
  PID:6824
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c6f50-951f-11ec-bacd-4ea9000dfafc.exe
  2⤵
  PID:6832
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01565a60-951f-11ec-bb2f-4ea9000dfafc.exe
  2⤵
  PID:6840
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01568170-951f-11ec-bb32-4ea9000dfafc.exe
  2⤵
  PID:6848
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c6f50-951f-11ec-bad0-4ea9000dfafc.exe
  2⤵
  PID:6856
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014bfa20-951f-11ec-bac2-4ea9000dfafc.exe
  2⤵
  PID:6864
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb7c-4ea9000dfafc.exe
  2⤵
  PID:6872
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01560c40-951f-11ec-bb2e-4ea9000dfafc.exe
  2⤵
  PID:6880
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014fa3a0-951f-11ec-baf9-4ea9000dfafc.exe
  2⤵
  PID:6888
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014c4840-951f-11ec-baca-4ea9000dfafc.exe
  2⤵
  PID:6896
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015e49a0-951f-11ec-bb77-4ea9000dfafc.exe
  2⤵
  PID:6904
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0153c250-951f-11ec-bb1a-4ea9000dfafc.exe
  2⤵
  PID:6912
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015fd040-951f-11ec-bb90-4ea9000dfafc.exe
  2⤵
  PID:6920
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 01523bb0-951f-11ec-bb15-4ea9000dfafc.exe
  2⤵
  PID:6928
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 014d59b0-951f-11ec-bad8-4ea9000dfafc.exe
  2⤵
  PID:6944
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0158f270-951f-11ec-bb3f-4ea9000dfafc.exe
  2⤵
  PID:6936
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0155be20-951f-11ec-bb29-4ea9000dfafc.exe
  2⤵
  PID:6952
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 015214a0-951f-11ec-bb14-4ea9000dfafc.exe
  2⤵
  PID:6960
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe 0137aed0-951f-11ec-ba64-4ea9000dfafc.exe
  2⤵
  PID:6968
- C:\Users\Admin\AppData\Local\Temp\012a8f70-951f-11ec-ba62-4ea9000dfafc.exe
  012a8f70-951f-11ec-ba62-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab"
  2⤵
  - Executes dropped EXE
  PID:6984
- C:\Users\Admin\AppData\Local\Temp\014dcee0-951f-11ec-badf-4ea9000dfafc.exe
  014dcee0-951f-11ec-badf-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
  2⤵
  - Executes dropped EXE
  PID:6976
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb7e-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb7e-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe"
  2⤵
  - Executes dropped EXE
  PID:6992
- C:\Users\Admin\AppData\Local\Temp\014d80c0-951f-11ec-badb-4ea9000dfafc.exe
  014d80c0-951f-11ec-badb-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
  2⤵
  - Executes dropped EXE
  PID:7000
- C:\Users\Admin\AppData\Local\Temp\014bac00-951f-11ec-babe-4ea9000dfafc.exe
  014bac00-951f-11ec-babe-4ea9000dfafc.exe C:\\Users\Admin\Pictures\PingBlock.png
  2⤵
  - Executes dropped EXE
  PID:7024
- C:\Users\Admin\AppData\Local\Temp\0153c250-951f-11ec-bb1d-4ea9000dfafc.exe
  0153c250-951f-11ec-bb1d-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp"
  2⤵
  - Executes dropped EXE
  PID:7048
- C:\Users\Admin\AppData\Local\Temp\0158cb60-951f-11ec-bb3e-4ea9000dfafc.exe
  0158cb60-951f-11ec-bb3e-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Temp\dd_vcredistUI1DE3.txt
  2⤵
  - Executes dropped EXE
  PID:7096
- C:\Users\Admin\AppData\Local\Temp\012a4150-951f-11ec-ba62-4ea9000dfafc.exe
  012a4150-951f-11ec-ba62-4ea9000dfafc.exe C:\\vcredist2010_x86.log.html
  2⤵
  - Executes dropped EXE
  PID:7116
- C:\Users\Admin\AppData\Local\Temp\0159b5c0-951f-11ec-bb4c-4ea9000dfafc.exe
  0159b5c0-951f-11ec-bb4c-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin9728060290\msapplication.xml"
  2⤵
  - Executes dropped EXE
  PID:7124
- C:\Users\Admin\AppData\Local\Temp\01568170-951f-11ec-bb35-4ea9000dfafc.exe
  01568170-951f-11ec-bb35-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links"
  2⤵
  - Executes dropped EXE
  PID:7132
- C:\Users\Admin\AppData\Local\Temp\014ff1c0-951f-11ec-bafd-4ea9000dfafc.exe
  014ff1c0-951f-11ec-bafd-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"
  2⤵
  - Executes dropped EXE
  PID:7164
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb86-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb86-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\0149d740-951f-11ec-baa7-4ea9000dfafc.exe
  0149d740-951f-11ec-baa7-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE"
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Users\Admin\AppData\Local\Temp\0157e100-951f-11ec-bb36-4ea9000dfafc.exe
  0157e100-951f-11ec-bb36-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\data_0"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Users\Admin\AppData\Local\Temp\0149fe50-951f-11ec-baa8-4ea9000dfafc.exe
  0149fe50-951f-11ec-baa8-4ea9000dfafc.exe C:\\Users\Admin\Music\FormatPublish.pdf
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Users\Admin\AppData\Local\Temp\015d3830-951f-11ec-bb63-4ea9000dfafc.exe
  015d3830-951f-11ec-bb63-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\014bd310-951f-11ec-babe-4ea9000dfafc.exe
  014bd310-951f-11ec-babe-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\014bfa20-951f-11ec-babf-4ea9000dfafc.exe
  014bfa20-951f-11ec-babf-4ea9000dfafc.exe C:\\Users\Admin\Pictures\PublishNew.jpg
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Users\Admin\AppData\Local\Temp\014b5de0-951f-11ec-bab6-4ea9000dfafc.exe
  014b5de0-951f-11ec-bab6-4ea9000dfafc.exe C:\\Users\Admin\NetHood
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Users\Admin\AppData\Local\Temp\015aa020-951f-11ec-bb51-4ea9000dfafc.exe
  015aa020-951f-11ec-bb51-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\0160baa0-951f-11ec-bb96-4ea9000dfafc.exe
  0160baa0-951f-11ec-bb96-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Users\Admin\AppData\Local\Temp\013a9500-951f-11ec-ba65-4ea9000dfafc.exe
  013a9500-951f-11ec-ba65-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\DisableInitialize.cab
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\013edac0-951f-11ec-ba68-4ea9000dfafc.exe
  013edac0-951f-11ec-ba68-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\GroupDeny.dll
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\013d2d10-951f-11ec-ba67-4ea9000dfafc.exe
  013d2d10-951f-11ec-ba67-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml"
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Users\Admin\AppData\Local\Temp\0161f320-951f-11ec-bba1-4ea9000dfafc.exe
  0161f320-951f-11ec-bba1-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\0163c7e0-951f-11ec-bba2-4ea9000dfafc.exe
  0163c7e0-951f-11ec-bba2-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\0164b240-951f-11ec-bbac-4ea9000dfafc.exe
  0164b240-951f-11ec-bbac-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Reporting and NEL"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Users\Admin\AppData\Local\Temp\013f4ff0-951f-11ec-ba69-4ea9000dfafc.exe
  013f4ff0-951f-11ec-ba69-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\Microsoft\Protect\CREDHIST
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\015cc300-951f-11ec-bb61-4ea9000dfafc.exe
  015cc300-951f-11ec-bb61-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\013f7700-951f-11ec-ba6a-4ea9000dfafc.exe
  013f7700-951f-11ec-ba6a-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1405931862-909307831-4085185274-1000\de3585ab-c5a0-4152-b6e6-a02dc814678c
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\013f4ff0-951f-11ec-ba68-4ea9000dfafc.exe
  013f4ff0-951f-11ec-ba68-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1405931862-909307831-4085185274-1000\0f5007522459c86e95ffcc62f32308f1_1a933a73-4d03-4b91-8cac-7b66f466e846
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\014124b0-951f-11ec-ba6d-4ea9000dfafc.exe
  014124b0-951f-11ec-ba6d-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\SecurityPreloadState.txt
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\0163a0d0-951f-11ec-bba2-4ea9000dfafc.exe
  0163a0d0-951f-11ec-bba2-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\01401340-951f-11ec-ba6a-4ea9000dfafc.exe
  01401340-951f-11ec-ba6a-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Users\Admin\AppData\Local\Temp\014124b0-951f-11ec-ba6b-4ea9000dfafc.exe
  014124b0-951f-11ec-ba6b-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20200403170909"
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Users\Admin\AppData\Local\Temp\0140fda0-951f-11ec-ba6a-4ea9000dfafc.exe
  0140fda0-951f-11ec-ba6a-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Users\Admin\AppData\Local\Temp\013f4ff0-951f-11ec-ba6a-4ea9000dfafc.exe
  013f4ff0-951f-11ec-ba6a-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1405931862-909307831-4085185274-1000\Preferred
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\0153c250-951f-11ec-bb1e-4ea9000dfafc.exe
  0153c250-951f-11ec-bb1e-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Users\Admin\AppData\Local\Temp\014124b0-951f-11ec-ba6c-4ea9000dfafc.exe
  014124b0-951f-11ec-ba6c-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\AlternateServices.txt
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba6e-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba6e-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba71-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba71-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Users\Admin\AppData\Local\Temp\01425d30-951f-11ec-ba6d-4ea9000dfafc.exe
  01425d30-951f-11ec-ba6d-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\pkcs11.txt
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba72-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba72-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba6f-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba6f-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba73-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba73-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba74-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba74-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\pluginreg.dat
  2⤵
  PID:2272
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba78-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba78-4ea9000dfafc.exe "C:\\Users\Admin\Application Data"
  2⤵
  PID:2488
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba70-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba70-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml"
  2⤵
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba75-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba75-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\SelectConnect.cab
  2⤵
  PID:2424
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba7b-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba7b-4ea9000dfafc.exe C:\\Users\Admin\Desktop\ApproveCheckpoint.avi
  2⤵
  PID:2464
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba7f-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba7f-4ea9000dfafc.exe C:\\Users\Admin\Desktop\RestartFormat.avi
  2⤵
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba83-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba83-4ea9000dfafc.exe C:\\Users\Admin\Documents\Are.docx
  2⤵
  PID:2504
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba7d-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba7d-4ea9000dfafc.exe C:\\Users\Admin\Desktop\ConvertToDebug.zip
  2⤵
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba86-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba86-4ea9000dfafc.exe "C:\\Users\Admin\Documents\My Music"
  2⤵
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba7c-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba7c-4ea9000dfafc.exe C:\\Users\Admin\Desktop\BackupUninstall.vsd
  2⤵
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba84-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba84-4ea9000dfafc.exe C:\\Users\Admin\Documents\CompressDismount.xps
  2⤵
  PID:3200
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba87-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba87-4ea9000dfafc.exe "C:\\Users\Admin\Documents\My Pictures"
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba81-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba81-4ea9000dfafc.exe C:\\Users\Admin\Desktop\WaitUndo.doc
  2⤵
  PID:3448
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba79-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba79-4ea9000dfafc.exe C:\\Users\Admin\Contacts\Admin.contact
  2⤵
  PID:4268
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba7e-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba7e-4ea9000dfafc.exe C:\\Users\Admin\Desktop\EnableUnlock.xml
  2⤵
  PID:4192
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba85-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba85-4ea9000dfafc.exe C:\\Users\Admin\Documents\Files.docx
  2⤵
  PID:3168
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba7a-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba7a-4ea9000dfafc.exe C:\\Users\Admin\Cookies
  2⤵
  PID:3216
- C:\Users\Admin\AppData\Local\Temp\01473f30-951f-11ec-ba8d-4ea9000dfafc.exe
  01473f30-951f-11ec-ba8d-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi"
  2⤵
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\01440ae0-951f-11ec-ba89-4ea9000dfafc.exe
  01440ae0-951f-11ec-ba89-4ea9000dfafc.exe C:\\Users\Admin\Documents\These.docx
  2⤵
  PID:5964
- C:\Users\Admin\AppData\Local\Temp\01454360-951f-11ec-ba8b-4ea9000dfafc.exe
  01454360-951f-11ec-ba8b-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab"
  2⤵
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\0144a720-951f-11ec-ba89-4ea9000dfafc.exe
  0144a720-951f-11ec-ba89-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml"
  2⤵
  PID:6500
- C:\Users\Admin\AppData\Local\Temp\0144a720-951f-11ec-ba8a-4ea9000dfafc.exe
  0144a720-951f-11ec-ba8a-4ea9000dfafc.exe C:\\Users\Admin\Documents\UnlockRevoke.xls
  2⤵
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\0146a2f0-951f-11ec-ba8c-4ea9000dfafc.exe
  0146a2f0-951f-11ec-ba8c-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab"
  2⤵
  PID:6108
- C:\Users\Admin\AppData\Local\Temp\01482990-951f-11ec-ba92-4ea9000dfafc.exe
  01482990-951f-11ec-ba92-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab"
  2⤵
  PID:4188
- C:\Users\Admin\AppData\Local\Temp\01476640-951f-11ec-ba8f-4ea9000dfafc.exe
  01476640-951f-11ec-ba8f-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13290092064104400"
  2⤵
  PID:5916
- C:\Users\Admin\AppData\Local\Temp\01482990-951f-11ec-ba91-4ea9000dfafc.exe
  01482990-951f-11ec-ba91-4ea9000dfafc.exe "C:\\Users\Admin\Favorites\Links\Web Slice Gallery.url"
  2⤵
  PID:6208
- C:\Users\Admin\AppData\Local\Temp\014877b0-951f-11ec-ba98-4ea9000dfafc.exe
  014877b0-951f-11ec-ba98-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi"
  2⤵
  PID:6376
- C:\Users\Admin\AppData\Local\Temp\014877b0-951f-11ec-ba97-4ea9000dfafc.exe
  014877b0-951f-11ec-ba97-4ea9000dfafc.exe "C:\\Users\Admin\Favorites\MSN Websites\MSN Autos.url"
  2⤵
  PID:6352
- C:\Users\Admin\AppData\Local\Temp\0148c5d0-951f-11ec-ba9a-4ea9000dfafc.exe
  0148c5d0-951f-11ec-ba9a-4ea9000dfafc.exe "C:\\Users\Admin\Favorites\MSN Websites\MSN Sports.url"
  2⤵
  PID:5888
- C:\Users\Admin\AppData\Local\Temp\0148ece0-951f-11ec-ba9d-4ea9000dfafc.exe
  0148ece0-951f-11ec-ba9d-4ea9000dfafc.exe "C:\\Users\Admin\Favorites\Microsoft Websites\IE Add-on site.url"
  2⤵
  PID:4252
- C:\Users\Admin\AppData\Local\Temp\0148c5d0-951f-11ec-ba9b-4ea9000dfafc.exe
  0148c5d0-951f-11ec-ba9b-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml"
  2⤵
  PID:6080
- C:\Users\Admin\AppData\Local\Temp\0148ece0-951f-11ec-ba9c-4ea9000dfafc.exe
  0148ece0-951f-11ec-ba9c-4ea9000dfafc.exe "C:\\Users\Admin\Favorites\MSN Websites\MSNBC News.url"
  2⤵
  PID:6204
- C:\Users\Admin\AppData\Local\Temp\01493b00-951f-11ec-baa5-4ea9000dfafc.exe
  01493b00-951f-11ec-baa5-4ea9000dfafc.exe C:\\ProgramData\Microsoft\OFFICE\DocumentRepository.ico
  2⤵
  PID:3740
- C:\Users\Admin\AppData\Local\Temp\0148ece0-951f-11ec-ba9f-4ea9000dfafc.exe
  0148ece0-951f-11ec-ba9f-4ea9000dfafc.exe "C:\\Users\Admin\Favorites\Microsoft Websites\Microsoft At Home.url"
  2⤵
  PID:6132
- C:\Users\Admin\AppData\Local\Temp\0149d740-951f-11ec-baa6-4ea9000dfafc.exe
  0149d740-951f-11ec-baa6-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll"
  2⤵
  PID:5908
- C:\Users\Admin\AppData\Local\Temp\0148ece0-951f-11ec-baa3-4ea9000dfafc.exe
  0148ece0-951f-11ec-baa3-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi"
  2⤵
  PID:5696
- C:\Users\Admin\AppData\Local\Temp\0149fe50-951f-11ec-baaa-4ea9000dfafc.exe
  0149fe50-951f-11ec-baaa-4ea9000dfafc.exe C:\\Users\Admin\Music\GetResolve.xps
  2⤵
  PID:6292
- C:\Users\Admin\AppData\Local\Temp\01493b00-951f-11ec-baa3-4ea9000dfafc.exe
  01493b00-951f-11ec-baa3-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml"
  2⤵
  PID:3268
- C:\Users\Admin\AppData\Local\Temp\01493b00-951f-11ec-baa4-4ea9000dfafc.exe
  01493b00-951f-11ec-baa4-4ea9000dfafc.exe "C:\\Users\Admin\Favorites\Microsoft Websites\Microsoft Store.url"
  2⤵
  PID:5400
- C:\Users\Admin\AppData\Local\Temp\0149fe50-951f-11ec-baa9-4ea9000dfafc.exe
  0149fe50-951f-11ec-baa9-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab"
  2⤵
  PID:6288
- C:\Users\Admin\AppData\Local\Temp\014a2560-951f-11ec-baac-4ea9000dfafc.exe
  014a2560-951f-11ec-baac-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi"
  2⤵
  PID:2052
- C:\Users\Admin\AppData\Local\Temp\014a9a90-951f-11ec-baaf-4ea9000dfafc.exe
  014a9a90-951f-11ec-baaf-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml"
  2⤵
  PID:3264
- C:\Users\Admin\AppData\Local\Temp\014ae8b0-951f-11ec-bab3-4ea9000dfafc.exe
  014ae8b0-951f-11ec-bab3-4ea9000dfafc.exe C:\\Users\Admin\NTUSER.DAT
  2⤵
  PID:4220
- C:\Users\Admin\AppData\Local\Temp\014b5de0-951f-11ec-bab7-4ea9000dfafc.exe
  014b5de0-951f-11ec-bab7-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab"
  2⤵
  PID:3404
- C:\Users\Admin\AppData\Local\Temp\014b84f0-951f-11ec-bab9-4ea9000dfafc.exe
  014b84f0-951f-11ec-bab9-4ea9000dfafc.exe C:\\Users\Admin\Pictures\ConvertWait.jpg
  2⤵
  PID:3844
- C:\Users\Admin\AppData\Local\Temp\014a2560-951f-11ec-baad-4ea9000dfafc.exe
  014a2560-951f-11ec-baad-4ea9000dfafc.exe C:\\Users\Admin\Music\SubmitSave.xls
  2⤵
  PID:4352
- C:\Users\Admin\AppData\Local\Temp\014ae8b0-951f-11ec-bab4-4ea9000dfafc.exe
  014ae8b0-951f-11ec-bab4-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll"
  2⤵
  PID:5412
- C:\Users\Admin\AppData\Local\Temp\014bac00-951f-11ec-babd-4ea9000dfafc.exe
  014bac00-951f-11ec-babd-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi"
  2⤵
  PID:5312
- C:\Users\Admin\AppData\Local\Temp\014a2560-951f-11ec-baab-4ea9000dfafc.exe
  014a2560-951f-11ec-baab-4ea9000dfafc.exe C:\\Users\Admin\Music\StartLimit.xlsx
  2⤵
  PID:5940
- C:\Users\Admin\AppData\Local\Temp\014b0fc0-951f-11ec-bab5-4ea9000dfafc.exe
  014b0fc0-951f-11ec-bab5-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm"
  2⤵
  PID:3696
- C:\Users\Admin\AppData\Local\Temp\014a2560-951f-11ec-baaa-4ea9000dfafc.exe
  014a2560-951f-11ec-baaa-4ea9000dfafc.exe C:\\Users\Admin\Music\PopPing.docx
  2⤵
  PID:5396
- C:\Users\Admin\AppData\Local\Temp\014b84f0-951f-11ec-babb-4ea9000dfafc.exe
  014b84f0-951f-11ec-babb-4ea9000dfafc.exe C:\\Users\Admin\Pictures\NewSearch.ico
  2⤵
  PID:5272
- C:\Users\Admin\AppData\Local\Temp\014a9a90-951f-11ec-bab0-4ea9000dfafc.exe
  014a9a90-951f-11ec-bab0-4ea9000dfafc.exe "C:\\Users\Admin\My Documents"
  2⤵
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\014b0fc0-951f-11ec-bab6-4ea9000dfafc.exe
  014b0fc0-951f-11ec-bab6-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm"
  2⤵
  PID:3892
- C:\Users\Admin\AppData\Local\Temp\014ac1a0-951f-11ec-bab1-4ea9000dfafc.exe
  014ac1a0-951f-11ec-bab1-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml"
  2⤵
  PID:3608
- C:\Users\Admin\AppData\Local\Temp\014c2130-951f-11ec-bac3-4ea9000dfafc.exe
  014c2130-951f-11ec-bac3-4ea9000dfafc.exe C:\\Users\Admin\Pictures\ResolveStep.bmp
  2⤵
  PID:5144
- C:\Users\Admin\AppData\Local\Temp\014bfa20-951f-11ec-bac3-4ea9000dfafc.exe
  014bfa20-951f-11ec-bac3-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml"
  2⤵
  PID:3816
- C:\Users\Admin\AppData\Local\Temp\0145dfa0-951f-11ec-ba8b-4ea9000dfafc.exe
  0145dfa0-951f-11ec-ba8b-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi"
  2⤵
  PID:3364
- C:\Users\Admin\AppData\Local\Temp\014bfa20-951f-11ec-bac1-4ea9000dfafc.exe
  014bfa20-951f-11ec-bac1-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab"
  2⤵
  PID:6120
- C:\Users\Admin\AppData\Local\Temp\014b84f0-951f-11ec-baba-4ea9000dfafc.exe
  014b84f0-951f-11ec-baba-4ea9000dfafc.exe C:\\Users\Admin\Pictures\NewEnable.png
  2⤵
  PID:4892
- C:\Users\Admin\AppData\Local\Temp\014d0b90-951f-11ec-bad5-4ea9000dfafc.exe
  014d0b90-951f-11ec-bad5-4ea9000dfafc.exe C:\\Users\Default\Cookies
  2⤵
  PID:6200
- C:\Users\Admin\AppData\Local\Temp\014d0b90-951f-11ec-bad4-4ea9000dfafc.exe
  014d0b90-951f-11ec-bad4-4ea9000dfafc.exe C:\\ProgramData\Documents
  2⤵
  PID:3284
- C:\Users\Admin\AppData\Local\Temp\014c2130-951f-11ec-bac6-4ea9000dfafc.exe
  014c2130-951f-11ec-bac6-4ea9000dfafc.exe C:\\Users\Admin\Pictures\Wallpaper.jpg
  2⤵
  PID:4436
- C:\Users\Admin\AppData\Local\Temp\014da7d0-951f-11ec-badd-4ea9000dfafc.exe
  014da7d0-951f-11ec-badd-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
  2⤵
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\014df5f0-951f-11ec-bae1-4ea9000dfafc.exe
  014df5f0-951f-11ec-bae1-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
  2⤵
  PID:4148
- C:\Users\Admin\AppData\Local\Temp\014ee050-951f-11ec-baea-4ea9000dfafc.exe
  014ee050-951f-11ec-baea-4ea9000dfafc.exe "C:\\Users\Public\Documents\My Music"
  2⤵
  PID:3692
- C:\Users\Admin\AppData\Local\Temp\014d80c0-951f-11ec-badd-4ea9000dfafc.exe
  014d80c0-951f-11ec-badd-4ea9000dfafc.exe "C:\\Users\Default\Local Settings"
  2⤵
  PID:3712
- C:\Users\Admin\AppData\Local\Temp\014c6f50-951f-11ec-bace-4ea9000dfafc.exe
  014c6f50-951f-11ec-bace-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml"
  2⤵
  PID:4700
- C:\Users\Admin\AppData\Local\Temp\014d59b0-951f-11ec-bad9-4ea9000dfafc.exe
  014d59b0-951f-11ec-bad9-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
  2⤵
  PID:5544
- C:\Users\Admin\AppData\Local\Temp\014c9660-951f-11ec-bad2-4ea9000dfafc.exe
  014c9660-951f-11ec-bad2-4ea9000dfafc.exe "C:\\ProgramData\Application Data"
  2⤵
  PID:4340
- C:\Users\Admin\AppData\Local\Temp\014d59b0-951f-11ec-bad5-4ea9000dfafc.exe
  014d59b0-951f-11ec-bad5-4ea9000dfafc.exe "C:\\Users\Default\Documents\My Pictures"
  2⤵
  PID:5012
- C:\Users\Admin\AppData\Local\Temp\014dcee0-951f-11ec-bade-4ea9000dfafc.exe
  014dcee0-951f-11ec-bade-4ea9000dfafc.exe C:\\Users\Default\NTUSER.DAT
  2⤵
  PID:5136
- C:\Users\Admin\AppData\Local\Temp\014f5580-951f-11ec-baf5-4ea9000dfafc.exe
  014f5580-951f-11ec-baf5-4ea9000dfafc.exe "C:\\Users\Public\Pictures\Sample Pictures\Desert.jpg"
  2⤵
  PID:5688
- C:\Users\Admin\AppData\Local\Temp\014f5580-951f-11ec-baf4-4ea9000dfafc.exe
  014f5580-951f-11ec-baf4-4ea9000dfafc.exe "C:\\Users\Public\Music\Sample Music\Sleep Away.mp3"
  2⤵
  PID:4520
- C:\Users\Admin\AppData\Local\Temp\014d32a0-951f-11ec-bad5-4ea9000dfafc.exe
  014d32a0-951f-11ec-bad5-4ea9000dfafc.exe "C:\\Users\Default\Documents\My Music"
  2⤵
  PID:3520
- C:\Users\Admin\AppData\Local\Temp\014f0760-951f-11ec-baee-4ea9000dfafc.exe
  014f0760-951f-11ec-baee-4ea9000dfafc.exe "C:\\Users\Public\Music\Sample Music\Kalimba.mp3"
  2⤵
  PID:5420
- C:\Users\Admin\AppData\Local\Temp\014da7d0-951f-11ec-bade-4ea9000dfafc.exe
  014da7d0-951f-11ec-bade-4ea9000dfafc.exe "C:\\Users\Default\My Documents"
  2⤵
  PID:4976
- C:\Users\Admin\AppData\Local\Temp\014f7c90-951f-11ec-baf7-4ea9000dfafc.exe
  014f7c90-951f-11ec-baf7-4ea9000dfafc.exe "C:\\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg"
  2⤵
  PID:3076
- C:\Users\Admin\AppData\Local\Temp\014f2e70-951f-11ec-baf1-4ea9000dfafc.exe
  014f2e70-951f-11ec-baf1-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico"
  2⤵
  PID:3248
- C:\Users\Admin\AppData\Local\Temp\014ee050-951f-11ec-baec-4ea9000dfafc.exe
  014ee050-951f-11ec-baec-4ea9000dfafc.exe "C:\\Users\Public\Documents\My Videos"
  2⤵
  PID:2204
- C:\Users\Admin\AppData\Local\Temp\014f2e70-951f-11ec-baf3-4ea9000dfafc.exe
  014f2e70-951f-11ec-baf3-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico"
  2⤵
  PID:6440
- C:\Users\Admin\AppData\Local\Temp\01508e00-951f-11ec-bb09-4ea9000dfafc.exe
  01508e00-951f-11ec-bb09-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp"
  2⤵
  PID:6152
- C:\Users\Admin\AppData\Local\Temp\014ee050-951f-11ec-baeb-4ea9000dfafc.exe
  014ee050-951f-11ec-baeb-4ea9000dfafc.exe "C:\\Users\Public\Documents\My Pictures"
  2⤵
  PID:2976
- C:\Users\Admin\AppData\Local\Temp\014c4840-951f-11ec-bacc-4ea9000dfafc.exe
  014c4840-951f-11ec-bacc-4ea9000dfafc.exe "C:\\Users\All Users"
  2⤵
  PID:3140
- C:\Users\Admin\AppData\Local\Temp\014c6f50-951f-11ec-bad1-4ea9000dfafc.exe
  014c6f50-951f-11ec-bad1-4ea9000dfafc.exe "C:\\Users\Default\AppData\Local\Temporary Internet Files"
  2⤵
  PID:6488
- C:\Users\Admin\AppData\Local\Temp\014e9230-951f-11ec-bae6-4ea9000dfafc.exe
  014e9230-951f-11ec-bae6-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
  2⤵
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\014c4840-951f-11ec-bac6-4ea9000dfafc.exe
  014c4840-951f-11ec-bac6-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml"
  2⤵
  PID:2232
- C:\Users\Admin\AppData\Local\Temp\014e4410-951f-11ec-bae4-4ea9000dfafc.exe
  014e4410-951f-11ec-bae4-4ea9000dfafc.exe "C:\\Users\Default\Start Menu"
  2⤵
  PID:3616
- C:\Users\Admin\AppData\Local\Temp\014f5580-951f-11ec-baf3-4ea9000dfafc.exe
  014f5580-951f-11ec-baf3-4ea9000dfafc.exe "C:\\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3"
  2⤵
  PID:3644
- C:\Users\Admin\AppData\Local\Temp\014f0760-951f-11ec-baec-4ea9000dfafc.exe
  014f0760-951f-11ec-baec-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\netfol.ico"
  2⤵
  PID:4676
- C:\Users\Admin\AppData\Local\Temp\014e6b20-951f-11ec-bae4-4ea9000dfafc.exe
  014e6b20-951f-11ec-bae4-4ea9000dfafc.exe C:\\ProgramData\Microsoft\OFFICE\MySharePoints.ico
  2⤵
  PID:4320
- C:\Users\Admin\AppData\Local\Temp\014dcee0-951f-11ec-bae1-4ea9000dfafc.exe
  014dcee0-951f-11ec-bae1-4ea9000dfafc.exe C:\\Users\Default\PrintHood
  2⤵
  PID:4984
- C:\Users\Admin\AppData\Local\Temp\014eb940-951f-11ec-bae6-4ea9000dfafc.exe
  014eb940-951f-11ec-bae6-4ea9000dfafc.exe "C:\\Users\Default User"
  2⤵
  PID:3468
- C:\Users\Admin\AppData\Local\Temp\01503fe0-951f-11ec-bb03-4ea9000dfafc.exe
  01503fe0-951f-11ec-bb03-4ea9000dfafc.exe C:\\ProgramData\Microsoft\OFFICE\SharePointPortalSite.ico
  2⤵
  PID:3924
- C:\Users\Admin\AppData\Local\Temp\014e4410-951f-11ec-bae1-4ea9000dfafc.exe
  014e4410-951f-11ec-bae1-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
  2⤵
  PID:5108
- C:\Users\Admin\AppData\Local\Temp\015066f0-951f-11ec-bb05-4ea9000dfafc.exe
  015066f0-951f-11ec-bb05-4ea9000dfafc.exe C:\\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat
  2⤵
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\0160baa0-951f-11ec-bb95-4ea9000dfafc.exe
  0160baa0-951f-11ec-bb95-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD
  2⤵
  PID:4336
- C:\Users\Admin\AppData\Local\Temp\0161a500-951f-11ec-bba0-4ea9000dfafc.exe
  0161a500-951f-11ec-bba0-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001"
  2⤵
  PID:4928
- C:\Users\Admin\AppData\Local\Temp\0140fda0-951f-11ec-ba6b-4ea9000dfafc.exe
  0140fda0-951f-11ec-ba6b-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml"
  2⤵
  PID:6476
- C:\Users\Admin\AppData\Local\Temp\01425d30-951f-11ec-ba6e-4ea9000dfafc.exe
  01425d30-951f-11ec-ba6e-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi"
  2⤵
  PID:3592
- C:\Users\Admin\AppData\Local\Temp\015066f0-951f-11ec-bb07-4ea9000dfafc.exe
  015066f0-951f-11ec-bb07-4ea9000dfafc.exe C:\\ProgramData\Microsoft\RAC\StateData\RacMetaData.dat
  2⤵
  PID:3212
- C:\Users\Admin\AppData\Local\Temp\0161a500-951f-11ec-bb9d-4ea9000dfafc.exe
  0161a500-951f-11ec-bb9d-4ea9000dfafc.exe "C:\\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg"
  2⤵
  PID:6160
- C:\Users\Admin\AppData\Local\Temp\01598eb0-951f-11ec-bb49-4ea9000dfafc.exe
  01598eb0-951f-11ec-bb49-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Microsoft\Feeds Cache\container.dat"
  2⤵
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\014ee050-951f-11ec-bae9-4ea9000dfafc.exe
  014ee050-951f-11ec-bae9-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"
  2⤵
  PID:4620
- C:\Users\Admin\AppData\Local\Temp\014ff1c0-951f-11ec-baff-4ea9000dfafc.exe
  014ff1c0-951f-11ec-baff-4ea9000dfafc.exe "C:\\Users\Public\Videos\Sample Videos\Wildlife.wmv"
  2⤵
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\014f5580-951f-11ec-baf6-4ea9000dfafc.exe
  014f5580-951f-11ec-baf6-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
  2⤵
  PID:4692
- C:\Users\Admin\AppData\Local\Temp\014f7c90-951f-11ec-baf8-4ea9000dfafc.exe
  014f7c90-951f-11ec-baf8-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
  2⤵
  PID:5004
- C:\Users\Admin\AppData\Local\Temp\012e38f0-951f-11ec-ba63-4ea9000dfafc.exe
  012e38f0-951f-11ec-ba63-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml"
  2⤵
  PID:3580
- C:\Users\Admin\AppData\Local\Temp\014fcab0-951f-11ec-bafa-4ea9000dfafc.exe
  014fcab0-951f-11ec-bafa-4ea9000dfafc.exe "C:\\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg"
  2⤵
  PID:3752
- C:\Users\Admin\AppData\Local\Temp\0150dc20-951f-11ec-bb0e-4ea9000dfafc.exe
  0150dc20-951f-11ec-bb0e-4ea9000dfafc.exe C:\\ProgramData\Microsoft\IdentityCRL\ppcrlconfig.dll
  2⤵
  PID:3496
- C:\Users\Admin\AppData\Local\Temp\0153c250-951f-11ec-bb1b-4ea9000dfafc.exe
  0153c250-951f-11ec-bb1b-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp"
  2⤵
  PID:3360
- C:\Users\Admin\AppData\Local\Temp\01519f70-951f-11ec-bb13-4ea9000dfafc.exe
  01519f70-951f-11ec-bb13-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp"
  2⤵
  PID:5208
- C:\Users\Admin\AppData\Local\Temp\01319450-951f-11ec-ba64-4ea9000dfafc.exe
  01319450-951f-11ec-ba64-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml"
  2⤵
  PID:4940
- C:\Users\Admin\AppData\Local\Temp\01364f40-951f-11ec-ba64-4ea9000dfafc.exe
  01364f40-951f-11ec-ba64-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe"
  2⤵
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\01480280-951f-11ec-ba90-4ea9000dfafc.exe
  01480280-951f-11ec-ba90-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml"
  2⤵
  PID:4068
- C:\Users\Admin\AppData\Local\Temp\015ac730-951f-11ec-bb54-4ea9000dfafc.exe
  015ac730-951f-11ec-bb54-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\1BBC7759CBC162CA4A6DD44B4D4454193297867E
  2⤵
  PID:5324
- C:\Users\Admin\AppData\Local\Temp\014c4840-951f-11ec-bac9-4ea9000dfafc.exe
  014c4840-951f-11ec-bac9-4ea9000dfafc.exe C:\\Users\Admin\SendTo
  2⤵
  PID:3996
- C:\Users\Admin\AppData\Local\Temp\015c4dd0-951f-11ec-bb5e-4ea9000dfafc.exe
  015c4dd0-951f-11ec-bb5e-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab"
  2⤵
  PID:5180
- C:\Users\Admin\AppData\Local\Temp\0158a450-951f-11ec-bb39-4ea9000dfafc.exe
  0158a450-951f-11ec-bb39-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version"
  2⤵
  PID:5924
- C:\Users\Admin\AppData\Local\Temp\015c4dd0-951f-11ec-bb60-4ea9000dfafc.exe
  015c4dd0-951f-11ec-bb60-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\C4483C658D2353FC3956D815B401B6561FFA153E
  2⤵
  PID:3296
- C:\Users\Admin\AppData\Local\Temp\014fa3a0-951f-11ec-bafa-4ea9000dfafc.exe
  014fa3a0-951f-11ec-bafa-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
  2⤵
  PID:4760
- C:\Users\Admin\AppData\Local\Temp\0156cf90-951f-11ec-bb36-4ea9000dfafc.exe
  0156cf90-951f-11ec-bb36-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data"
  2⤵
  PID:5276
- C:\Users\Admin\AppData\Local\Temp\0163eef0-951f-11ec-bba2-4ea9000dfafc.exe
  0163eef0-951f-11ec-bba2-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History-journal"
  2⤵
  PID:4288
- C:\Users\Admin\AppData\Local\Temp\014e9230-951f-11ec-bae5-4ea9000dfafc.exe
  014e9230-951f-11ec-bae5-4ea9000dfafc.exe C:\\Users\Default\Templates
  2⤵
  PID:6472
- C:\Users\Admin\AppData\Local\Temp\0158a450-951f-11ec-bb3a-4ea9000dfafc.exe
  0158a450-951f-11ec-bb3a-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State"
  2⤵
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\01414bc0-951f-11ec-ba6d-4ea9000dfafc.exe
  01414bc0-951f-11ec-ba6d-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\SiteSecurityServiceState.txt
  2⤵
  PID:5068
- C:\Users\Admin\AppData\Local\Temp\015a03e0-951f-11ec-bb4d-4ea9000dfafc.exe
  015a03e0-951f-11ec-bb4d-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
  2⤵
  PID:6280
- C:\Users\Admin\AppData\Local\Temp\015066f0-951f-11ec-bb03-4ea9000dfafc.exe
  015066f0-951f-11ec-bb03-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico"
  2⤵
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\014b5de0-951f-11ec-bab9-4ea9000dfafc.exe
  014b5de0-951f-11ec-bab9-4ea9000dfafc.exe C:\\Users\Admin\Pictures\ConvertToWatch.jpeg
  2⤵
  PID:6400
- C:\Users\Admin\AppData\Local\Temp\014a4c70-951f-11ec-baae-4ea9000dfafc.exe
  014a4c70-951f-11ec-baae-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml"
  2⤵
  PID:4468
- C:\Users\Admin\AppData\Local\Temp\014f0760-951f-11ec-baed-4ea9000dfafc.exe
  014f0760-951f-11ec-baed-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico"
  2⤵
  PID:5720
- C:\Users\Admin\AppData\Local\Temp\01632ba0-951f-11ec-bba1-4ea9000dfafc.exe
  01632ba0-951f-11ec-bba1-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3"
  2⤵
  PID:4616
- C:\Users\Admin\AppData\Local\Temp\0158a450-951f-11ec-bb3d-4ea9000dfafc.exe
  0158a450-951f-11ec-bb3d-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1"
  2⤵
  PID:5024
- C:\Users\Admin\AppData\Local\Temp\0163eef0-951f-11ec-bba5-4ea9000dfafc.exe
  0163eef0-951f-11ec-bba5-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG"
  2⤵
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\01654e80-951f-11ec-bbae-4ea9000dfafc.exe
  01654e80-951f-11ec-bbae-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000001"
  2⤵
  PID:3576
- C:\Users\Admin\AppData\Local\Temp\01496210-951f-11ec-baa5-4ea9000dfafc.exe
  01496210-951f-11ec-baa5-4ea9000dfafc.exe "C:\\Users\Admin\Local Settings"
  2⤵
  PID:3160
- C:\Users\Admin\AppData\Local\Temp\015aa020-951f-11ec-bb53-4ea9000dfafc.exe
  015aa020-951f-11ec-bb53-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\ce_T151c2VyQ29udGV4dElkPTUsYSw=
  2⤵
  PID:3748
- C:\Users\Admin\AppData\Local\Temp\015aa020-951f-11ec-bb52-4ea9000dfafc.exe
  015aa020-951f-11ec-bb52-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\ce_T151c2VyQ29udGV4dElkPTUs
  2⤵
  PID:6524
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb83-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb83-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21
  2⤵
  PID:6640
- C:\Users\Admin\AppData\Local\Temp\0164d950-951f-11ec-bbac-4ea9000dfafc.exe
  0164d950-951f-11ec-bbac-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Reporting and NEL-journal"
  2⤵
  PID:6752
- C:\Users\Admin\AppData\Local\Temp\01612fd0-951f-11ec-bb99-4ea9000dfafc.exe
  01612fd0-951f-11ec-bb99-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
  2⤵
  PID:6748
- C:\Users\Admin\AppData\Local\Temp\01432080-951f-11ec-ba87-4ea9000dfafc.exe
  01432080-951f-11ec-ba87-4ea9000dfafc.exe "C:\\Users\Admin\Documents\My Videos"
  2⤵
  PID:6760
- C:\Users\Admin\AppData\Local\Temp\01560c40-951f-11ec-bb2a-4ea9000dfafc.exe
  01560c40-951f-11ec-bb2a-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK"
  2⤵
  PID:6764
- C:\Users\Admin\AppData\Local\Temp\015b8a80-951f-11ec-bb5c-4ea9000dfafc.exe
  015b8a80-951f-11ec-bb5c-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\9B0482F4CCDB33BB647AF69825EA127CC02AD57E
  2⤵
  PID:6808
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb8c-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb8c-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat"
  2⤵
  PID:6824
- C:\Users\Admin\AppData\Local\Temp\01545e90-951f-11ec-bb21-4ea9000dfafc.exe
  01545e90-951f-11ec-bb21-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\index"
  2⤵
  PID:6724
- C:\Users\Admin\AppData\Local\Temp\014f7c90-951f-11ec-baf6-4ea9000dfafc.exe
  014f7c90-951f-11ec-baf6-4ea9000dfafc.exe "C:\\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg"
  2⤵
  PID:6740
- C:\Users\Admin\AppData\Local\Temp\0154d3c0-951f-11ec-bb24-4ea9000dfafc.exe
  0154d3c0-951f-11ec-bb24-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp"
  2⤵
  PID:6868
- C:\Users\Admin\AppData\Local\Temp\0163eef0-951f-11ec-bba3-4ea9000dfafc.exe
  0163eef0-951f-11ec-bba3-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT"
  2⤵
  PID:6880
- C:\Users\Admin\AppData\Local\Temp\0161a500-951f-11ec-bb9c-4ea9000dfafc.exe
  0161a500-951f-11ec-bb9c-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
  2⤵
  PID:6904
- C:\Users\Admin\AppData\Local\Temp\0162dd80-951f-11ec-bba1-4ea9000dfafc.exe
  0162dd80-951f-11ec-bba1-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2"
  2⤵
  PID:6928
- C:\Users\Admin\AppData\Local\Temp\01471820-951f-11ec-ba8d-4ea9000dfafc.exe
  01471820-951f-11ec-ba8d-4ea9000dfafc.exe C:\\Users\Admin\Downloads\SyncSkip.jpg
  2⤵
  PID:6936
- C:\Users\Admin\AppData\Local\Temp\01523bb0-951f-11ec-bb16-4ea9000dfafc.exe
  01523bb0-951f-11ec-bb16-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000001"
  2⤵
  PID:6964
- C:\Users\Admin\AppData\Local\Temp\014dcee0-951f-11ec-bae0-4ea9000dfafc.exe
  014dcee0-951f-11ec-bae0-4ea9000dfafc.exe C:\\Users\Default\NetHood
  2⤵
  PID:7064
- C:\Users\Admin\AppData\Local\Temp\014c9660-951f-11ec-bad3-4ea9000dfafc.exe
  014c9660-951f-11ec-bad3-4ea9000dfafc.exe C:\\ProgramData\Desktop
  2⤵
  PID:7076
- C:\Users\Admin\AppData\Local\Temp\0138c040-951f-11ec-ba64-4ea9000dfafc.exe
  0138c040-951f-11ec-ba64-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
  2⤵
  PID:7084
- C:\Users\Admin\AppData\Local\Temp\01473f30-951f-11ec-ba8e-4ea9000dfafc.exe
  01473f30-951f-11ec-ba8e-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml"
  2⤵
  PID:7092
- C:\Users\Admin\AppData\Local\Temp\01560c40-951f-11ec-bb2d-4ea9000dfafc.exe
  01560c40-951f-11ec-bb2d-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Top Sites"
  2⤵
  PID:7048
- C:\Users\Admin\AppData\Local\Temp\0144f540-951f-11ec-ba8a-4ea9000dfafc.exe
  0144f540-951f-11ec-ba8a-4ea9000dfafc.exe C:\\Users\Admin\Downloads\InitializeRestore.txt
  2⤵
  PID:6992
- C:\Users\Admin\AppData\Local\Temp\015b8a80-951f-11ec-bb5d-4ea9000dfafc.exe
  015b8a80-951f-11ec-bb5d-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\A9CD9A35F7588F07426AF0917E6F3EDE3BDBCF6B
  2⤵
  PID:7160
- C:\Users\Admin\AppData\Local\Temp\0161cc10-951f-11ec-bba1-4ea9000dfafc.exe
  0161cc10-951f-11ec-bba1-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons-journal"
  2⤵
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\015ff750-951f-11ec-bb92-4ea9000dfafc.exe
  015ff750-951f-11ec-bb92-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001"
  2⤵
  PID:912
- C:\Users\Admin\AppData\Local\Temp\0153c250-951f-11ec-bb1c-4ea9000dfafc.exe
  0153c250-951f-11ec-bb1c-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp"
  2⤵
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\01503fe0-951f-11ec-bb02-4ea9000dfafc.exe
  01503fe0-951f-11ec-bb02-4ea9000dfafc.exe C:\\vcredist2010_x86.log-MSI_vc_red.msi.txt
  2⤵
  PID:6520
- C:\Users\Admin\AppData\Local\Temp\0158a450-951f-11ec-bb38-4ea9000dfafc.exe
  0158a450-951f-11ec-bb38-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\index"
  2⤵
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\01591980-951f-11ec-bb43-4ea9000dfafc.exe
  01591980-951f-11ec-bb43-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HN51W9NV\fwlink[1]"
  2⤵
  PID:7008
- C:\Users\Admin\AppData\Local\Temp\0150b510-951f-11ec-bb0b-4ea9000dfafc.exe
  0150b510-951f-11ec-bb0b-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_property.ico"
  2⤵
  PID:2132
- C:\Users\Admin\AppData\Local\Temp\014a4c70-951f-11ec-baad-4ea9000dfafc.exe
  014a4c70-951f-11ec-baad-4ea9000dfafc.exe C:\\Users\Admin\Music\TestNew.ico
  2⤵
  PID:2100
- C:\Users\Admin\AppData\Local\Temp\0161a500-951f-11ec-bb9e-4ea9000dfafc.exe
  0161a500-951f-11ec-bb9e-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK"
  2⤵
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\0150b510-951f-11ec-bb0d-4ea9000dfafc.exe
  0150b510-951f-11ec-bb0d-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp"
  2⤵
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\015aa020-951f-11ec-bb50-4ea9000dfafc.exe
  015aa020-951f-11ec-bb50-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi"
  2⤵
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\015a7910-951f-11ec-bb4f-4ea9000dfafc.exe
  015a7910-951f-11ec-bb4f-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"
  2⤵
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb8b-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb8b-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
  2⤵
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\01476640-951f-11ec-ba8e-4ea9000dfafc.exe
  01476640-951f-11ec-ba8e-4ea9000dfafc.exe C:\\Users\Admin\Downloads\UnpublishRedo.rtf
  2⤵
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\01423620-951f-11ec-ba6d-4ea9000dfafc.exe
  01423620-951f-11ec-ba6d-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab"
  2⤵
  PID:6684
- C:\Users\Admin\AppData\Local\Temp\015a7910-951f-11ec-bb50-4ea9000dfafc.exe
  015a7910-951f-11ec-bb50-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab"
  2⤵
  PID:6680
- C:\Users\Admin\AppData\Local\Temp\014e9230-951f-11ec-bae4-4ea9000dfafc.exe
  014e9230-951f-11ec-bae4-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
  2⤵
  PID:2140
- C:\Users\Admin\AppData\Local\Temp\0130f810-951f-11ec-ba63-4ea9000dfafc.exe
  0130f810-951f-11ec-ba63-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab"
  2⤵
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\0161a500-951f-11ec-bb9b-4ea9000dfafc.exe
  0161a500-951f-11ec-bb9b-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9
  2⤵
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\01568170-951f-11ec-bb30-4ea9000dfafc.exe
  01568170-951f-11ec-bb30-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp"
  2⤵
  PID:2228
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb84-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb84-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Application Data"
  2⤵
  PID:2212
- C:\Users\Admin\AppData\Local\Temp\01632ba0-951f-11ec-bba2-4ea9000dfafc.exe
  01632ba0-951f-11ec-bba2-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\index"
  2⤵
  PID:2244
- C:\Users\Admin\AppData\Local\Temp\0159b5c0-951f-11ec-bb4a-4ea9000dfafc.exe
  0159b5c0-951f-11ec-bb4a-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{05DC6F20-94A2-11EC-A34F-6E44B9307EE0}.dat"
  2⤵
  PID:536
- C:\Users\Admin\AppData\Local\Temp\01580810-951f-11ec-bb36-4ea9000dfafc.exe
  01580810-951f-11ec-bb36-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\data_1"
  2⤵
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb74-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb74-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Temp\ose00000.exe
  2⤵
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\014c9660-951f-11ec-bad1-4ea9000dfafc.exe
  014c9660-951f-11ec-bad1-4ea9000dfafc.exe C:\\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml
  2⤵
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\015b8a80-951f-11ec-bb5b-4ea9000dfafc.exe
  015b8a80-951f-11ec-bb5b-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\97E8D217D59733C5DAC8BF6D74564B40D930A09A
  2⤵
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\015dad60-951f-11ec-bb67-4ea9000dfafc.exe
  015dad60-951f-11ec-bb67-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab"
  2⤵
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\01609390-951f-11ec-bb93-4ea9000dfafc.exe
  01609390-951f-11ec-bb93-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A9377E7E528F7E56B69A81C500ABC24
  2⤵
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\015289d0-951f-11ec-bb17-4ea9000dfafc.exe
  015289d0-951f-11ec-bb17-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index"
  2⤵
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\015e2290-951f-11ec-bb69-4ea9000dfafc.exe
  015e2290-951f-11ec-bb69-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab"
  2⤵
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\015b3c60-951f-11ec-bb58-4ea9000dfafc.exe
  015b3c60-951f-11ec-bb58-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\6D4934FE31BFAF4563C9C133D9CEB4B986FB5CA0
  2⤵
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\015018d0-951f-11ec-bb02-4ea9000dfafc.exe
  015018d0-951f-11ec-bb02-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
  2⤵
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\01508e00-951f-11ec-bb07-4ea9000dfafc.exe
  01508e00-951f-11ec-bb07-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico"
  2⤵
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\015066f0-951f-11ec-bb04-4ea9000dfafc.exe
  015066f0-951f-11ec-bb04-4ea9000dfafc.exe C:\\ProgramData\Microsoft\OFFICE\SharePointTeamSite.ico
  2⤵
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\015dfb80-951f-11ec-bb69-4ea9000dfafc.exe
  015dfb80-951f-11ec-bb69-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20220223_115949392.html"
  2⤵
  PID:2500
- C:\Users\Admin\AppData\Local\Temp\014fcab0-951f-11ec-bafc-4ea9000dfafc.exe
  014fcab0-951f-11ec-bafc-4ea9000dfafc.exe "C:\\Users\Public\Pictures\Sample Pictures\Tulips.jpg"
  2⤵
  PID:2520
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb82-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb82-4ea9000dfafc.exe C:\\ProgramData\Templates
  2⤵
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb70-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb70-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Temp\dd_vcredistUI1E44.txt
  2⤵
  PID:2272
- C:\Users\Admin\AppData\Local\Temp\015ff750-951f-11ec-bb91-4ea9000dfafc.exe
  015ff750-951f-11ec-bb91-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3"
  2⤵
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\014877b0-951f-11ec-ba94-4ea9000dfafc.exe
  014877b0-951f-11ec-ba94-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi"
  2⤵
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\014fcab0-951f-11ec-bafb-4ea9000dfafc.exe
  014fcab0-951f-11ec-bafb-4ea9000dfafc.exe "C:\\Users\Public\Pictures\Sample Pictures\Penguins.jpg"
  2⤵
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\015018d0-951f-11ec-baff-4ea9000dfafc.exe
  015018d0-951f-11ec-baff-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
  2⤵
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\014fa3a0-951f-11ec-baf8-4ea9000dfafc.exe
  014fa3a0-951f-11ec-baf8-4ea9000dfafc.exe "C:\\Users\Public\Pictures\Sample Pictures\Koala.jpg"
  2⤵
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\015e97c0-951f-11ec-bb8e-4ea9000dfafc.exe
  015e97c0-951f-11ec-bb8e-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1E11E75149C17A93653DA7DC0B8CF53F_8F360D4ACE5D7CEC2FF3EF4F09601250
  2⤵
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\01568170-951f-11ec-bb31-4ea9000dfafc.exe
  01568170-951f-11ec-bb31-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp"
  2⤵
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\01517860-951f-11ec-bb12-4ea9000dfafc.exe
  01517860-951f-11ec-bb12-4ea9000dfafc.exe C:\\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
  2⤵
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\01643d10-951f-11ec-bba8-4ea9000dfafc.exe
  01643d10-951f-11ec-bba8-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Media History-journal"
  2⤵
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\014431f0-951f-11ec-ba89-4ea9000dfafc.exe
  014431f0-951f-11ec-ba89-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi"
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\0154acb0-951f-11ec-bb23-4ea9000dfafc.exe
  0154acb0-951f-11ec-bb23-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp"
  2⤵
  PID:3452
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb76-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb76-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1E11E75149C17A93653DA7DC0B8CF53F_8F360D4ACE5D7CEC2FF3EF4F09601250
  2⤵
  PID:4196
- C:\Users\Admin\AppData\Local\Temp\0152b0e0-951f-11ec-bb17-4ea9000dfafc.exe
  0152b0e0-951f-11ec-bb17-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp"
  2⤵
  PID:3544
- C:\Users\Admin\AppData\Local\Temp\015485a0-951f-11ec-bb22-4ea9000dfafc.exe
  015485a0-951f-11ec-bb22-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp"
  2⤵
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\0148ece0-951f-11ec-ba9e-4ea9000dfafc.exe
  0148ece0-951f-11ec-ba9e-4ea9000dfafc.exe "C:\\Users\Admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url"
  2⤵
  PID:3152
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb75-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb75-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Temporary Internet Files"
  2⤵
  PID:3172
- C:\Users\Admin\AppData\Local\Temp\015548f0-951f-11ec-bb24-4ea9000dfafc.exe
  015548f0-951f-11ec-bb24-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\MANIFEST-000001"
  2⤵
  PID:5960
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb8a-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb8a-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
  2⤵
  PID:4208
- C:\Users\Admin\AppData\Local\Temp\0134efb0-951f-11ec-ba64-4ea9000dfafc.exe
  0134efb0-951f-11ec-ba64-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll"
  2⤵
  PID:4084
- C:\Users\Admin\AppData\Local\Temp\014e4410-951f-11ec-bae3-4ea9000dfafc.exe
  014e4410-951f-11ec-bae3-4ea9000dfafc.exe C:\\Users\Default\SendTo
  2⤵
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\014ff1c0-951f-11ec-bafc-4ea9000dfafc.exe
  014ff1c0-951f-11ec-bafc-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico"
  2⤵
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\01557000-951f-11ec-bb26-4ea9000dfafc.exe
  01557000-951f-11ec-bb26-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\LOCK"
  2⤵
  PID:4204
- C:\Users\Admin\AppData\Local\Temp\0161cc10-951f-11ec-bba0-4ea9000dfafc.exe
  0161cc10-951f-11ec-bba0-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons"
  2⤵
  PID:5600
- C:\Users\Admin\AppData\Local\Temp\0148ece0-951f-11ec-baa0-4ea9000dfafc.exe
  0148ece0-951f-11ec-baa0-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab"
  2⤵
  PID:1152
- C:\Users\Admin\AppData\Local\Temp\01591980-951f-11ec-bb45-4ea9000dfafc.exe
  01591980-951f-11ec-bb45-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HPDMG12Q\fwlink[1]"
  2⤵
  PID:4184
- C:\Users\Admin\AppData\Local\Temp\01641600-951f-11ec-bba7-4ea9000dfafc.exe
  01641600-951f-11ec-bba7-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal"
  2⤵
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb7f-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb7f-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
  2⤵
  PID:4252
- C:\Users\Admin\AppData\Local\Temp\014c2130-951f-11ec-bac4-4ea9000dfafc.exe
  014c2130-951f-11ec-bac4-4ea9000dfafc.exe C:\\Users\Admin\Pictures\SendResolve.jpg
  2⤵
  PID:6204
- C:\Users\Admin\AppData\Local\Temp\01517860-951f-11ec-bb0f-4ea9000dfafc.exe
  01517860-951f-11ec-bb0f-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp"
  2⤵
  PID:6080
- C:\Users\Admin\AppData\Local\Temp\01641600-951f-11ec-bba6-4ea9000dfafc.exe
  01641600-951f-11ec-bba6-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data"
  2⤵
  PID:5484
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb72-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb72-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20220223_120012_980.txt
  2⤵
  PID:6064
- C:\Users\Admin\AppData\Local\Temp\015dd470-951f-11ec-bb67-4ea9000dfafc.exe
  015dd470-951f-11ec-bb67-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi"
  2⤵
  PID:3836
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb6c-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb6c-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi"
  2⤵
  PID:3880
- C:\Users\Admin\AppData\Local\Temp\014ff1c0-951f-11ec-bafe-4ea9000dfafc.exe
  014ff1c0-951f-11ec-bafe-4ea9000dfafc.exe "C:\\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv"
  2⤵
  PID:4300
- C:\Users\Admin\AppData\Local\Temp\014c4840-951f-11ec-bacb-4ea9000dfafc.exe
  014c4840-951f-11ec-bacb-4ea9000dfafc.exe C:\\Users\Admin\Templates
  2⤵
  PID:5400
- C:\Users\Admin\AppData\Local\Temp\0146ca00-951f-11ec-ba8c-4ea9000dfafc.exe
  0146ca00-951f-11ec-ba8c-4ea9000dfafc.exe C:\\Users\Admin\Downloads\SelectRequest.vsd
  2⤵
  PID:6416
- C:\Users\Admin\AppData\Local\Temp\015b8a80-951f-11ec-bb5a-4ea9000dfafc.exe
  015b8a80-951f-11ec-bb5a-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\94782C45DA6D1B2803CD3FD06F4F5E71BFF2B38D
  2⤵
  PID:5904
- C:\Users\Admin\AppData\Local\Temp\014ee050-951f-11ec-bae8-4ea9000dfafc.exe
  014ee050-951f-11ec-bae8-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
  2⤵
  PID:4100
- C:\Users\Admin\AppData\Local\Temp\0148c5d0-951f-11ec-ba99-4ea9000dfafc.exe
  0148c5d0-951f-11ec-ba99-4ea9000dfafc.exe "C:\\Users\Admin\Favorites\MSN Websites\MSN Money.url"
  2⤵
  PID:3940
- C:\Users\Admin\AppData\Local\Temp\01591980-951f-11ec-bb44-4ea9000dfafc.exe
  01591980-951f-11ec-bb44-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HN51W9NV\fwlink[2]"
  2⤵
  PID:5696
- C:\Users\Admin\AppData\Local\Temp\01606c80-951f-11ec-bb92-4ea9000dfafc.exe
  01606c80-951f-11ec-bb92-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\index"
  2⤵
  PID:5916
- C:\Users\Admin\AppData\Local\Temp\01609390-951f-11ec-bb92-4ea9000dfafc.exe
  01609390-951f-11ec-bb92-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index"
  2⤵
  PID:3532
- C:\Users\Admin\AppData\Local\Temp\01557000-951f-11ec-bb27-4ea9000dfafc.exe
  01557000-951f-11ec-bb27-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\LOG"
  2⤵
  PID:5372
- C:\Users\Admin\AppData\Local\Temp\015c74e0-951f-11ec-bb60-4ea9000dfafc.exe
  015c74e0-951f-11ec-bb60-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Temp\2924701964\zmstage.exe
  2⤵
  PID:4056
- C:\Users\Admin\AppData\Local\Temp\015f3400-951f-11ec-bb8f-4ea9000dfafc.exe
  015f3400-951f-11ec-bb8f-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
  2⤵
  PID:3844
- C:\Users\Admin\AppData\Local\Temp\0157b9f0-951f-11ec-bb36-4ea9000dfafc.exe
  0157b9f0-951f-11ec-bb36-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\First Run"
  2⤵
  PID:5408
- C:\Users\Admin\AppData\Local\Temp\014f2e70-951f-11ec-baf0-4ea9000dfafc.exe
  014f2e70-951f-11ec-baf0-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico"
  2⤵
  PID:3528
- C:\Users\Admin\AppData\Local\Temp\0163eef0-951f-11ec-bba4-4ea9000dfafc.exe
  0163eef0-951f-11ec-bba4-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK"
  2⤵
  PID:5316
- C:\Users\Admin\AppData\Local\Temp\015018d0-951f-11ec-bb01-4ea9000dfafc.exe
  015018d0-951f-11ec-bb01-4ea9000dfafc.exe C:\\vcredist2010_x64.log.html
  2⤵
  PID:5220
- C:\Users\Admin\AppData\Local\Temp\014f2e70-951f-11ec-baee-4ea9000dfafc.exe
  014f2e70-951f-11ec-baee-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
  2⤵
  PID:5396
- C:\Users\Admin\AppData\Local\Temp\01594090-951f-11ec-bb47-4ea9000dfafc.exe
  01594090-951f-11ec-bb47-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PAHLSM1Y\fwlink[2]"
  2⤵
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\01508e00-951f-11ec-bb08-4ea9000dfafc.exe
  01508e00-951f-11ec-bb08-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Admin.dat"
  2⤵
  PID:3892
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb7d-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb7d-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi"
  2⤵
  PID:5272
- C:\Users\Admin\AppData\Local\Temp\01517860-951f-11ec-bb10-4ea9000dfafc.exe
  01517860-951f-11ec-bb10-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp"
  2⤵
  PID:5820
- C:\Users\Admin\AppData\Local\Temp\015fd040-951f-11ec-bb91-4ea9000dfafc.exe
  015fd040-951f-11ec-bb91-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C3948BE6E525B8A8CEE9FAC91C9E392_F70553637B9F26717122C4DAFA3ADB11
  2⤵
  PID:6368
- C:\Users\Admin\AppData\Local\Temp\015d3830-951f-11ec-bb62-4ea9000dfafc.exe
  015d3830-951f-11ec-bb62-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi"
  2⤵
  PID:3608
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb78-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb78-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C3948BE6E525B8A8CEE9FAC91C9E392_7A0EF9A6B71F8BD440FF79468695184C
  2⤵
  PID:3816
- C:\Users\Admin\AppData\Local\Temp\01612fd0-951f-11ec-bb98-4ea9000dfafc.exe
  01612fd0-951f-11ec-bb98-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21
  2⤵
  PID:4532
- C:\Users\Admin\AppData\Local\Temp\01582f20-951f-11ec-bb37-4ea9000dfafc.exe
  01582f20-951f-11ec-bb37-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp"
  2⤵
  PID:4072
- C:\Users\Admin\AppData\Local\Temp\0160baa0-951f-11ec-bb93-4ea9000dfafc.exe
  0160baa0-951f-11ec-bb93-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index"
  2⤵
  PID:4888
- C:\Users\Admin\AppData\Local\Temp\01345370-951f-11ec-ba64-4ea9000dfafc.exe
  01345370-951f-11ec-ba64-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Sun\Java\jdk1.7.0_80_x64\sj170800.cab
  2⤵
  PID:5948
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb6d-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb6d-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab"
  2⤵
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\0144f540-951f-11ec-ba8b-4ea9000dfafc.exe
  0144f540-951f-11ec-ba8b-4ea9000dfafc.exe C:\\Users\Admin\Downloads\MeasureRemove.gif
  2⤵
  PID:3472
- C:\Users\Admin\AppData\Local\Temp\013edac0-951f-11ec-ba67-4ea9000dfafc.exe
  013edac0-951f-11ec-ba67-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab"
  2⤵
  PID:3952
- C:\Users\Admin\AppData\Local\Temp\01557000-951f-11ec-bb24-4ea9000dfafc.exe
  01557000-951f-11ec-bb24-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Network Persistent State"
  2⤵
  PID:6072
- C:\Users\Admin\AppData\Local\Temp\015a5200-951f-11ec-bb4e-4ea9000dfafc.exe
  015a5200-951f-11ec-bb4e-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\rx62z5k\imagestore.dat"
  2⤵
  PID:6244
- C:\Users\Admin\AppData\Local\Temp\0158f270-951f-11ec-bb40-4ea9000dfafc.exe
  0158f270-951f-11ec-bb40-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index"
  2⤵
  PID:5788
- C:\Users\Admin\AppData\Local\Temp\01560c40-951f-11ec-bb2c-4ea9000dfafc.exe
  01560c40-951f-11ec-bb2c-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001"
  2⤵
  PID:5064
- C:\Users\Admin\AppData\Local\Temp\0158f270-951f-11ec-bb42-4ea9000dfafc.exe
  0158f270-951f-11ec-bb42-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp"
  2⤵
  PID:3652
- C:\Users\Admin\AppData\Local\Temp\01519f70-951f-11ec-bb14-4ea9000dfafc.exe
  01519f70-951f-11ec-bb14-4ea9000dfafc.exe C:\\ProgramData\Microsoft\OFFICE\AssetLibrary.ico
  2⤵
  PID:3856
- C:\Users\Admin\AppData\Local\Temp\014b0fc0-951f-11ec-bab4-4ea9000dfafc.exe
  014b0fc0-951f-11ec-bab4-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll"
  2⤵
  PID:4508
- C:\Users\Admin\AppData\Local\Temp\0150b510-951f-11ec-bb0c-4ea9000dfafc.exe
  0150b510-951f-11ec-bb0c-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico"
  2⤵
  PID:5688
- C:\Users\Admin\AppData\Local\Temp\01648b30-951f-11ec-bbab-4ea9000dfafc.exe
  01648b30-951f-11ec-bbab-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\MANIFEST-000001"
  2⤵
  PID:2056
- C:\Users\Admin\AppData\Local\Temp\015066f0-951f-11ec-bb06-4ea9000dfafc.exe
  015066f0-951f-11ec-bb06-4ea9000dfafc.exe C:\\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat
  2⤵
  PID:4860
- C:\Users\Admin\AppData\Local\Temp\0152b0e0-951f-11ec-bb18-4ea9000dfafc.exe
  0152b0e0-951f-11ec-bb18-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dir\the-real-index"
  2⤵
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\0138e750-951f-11ec-ba65-4ea9000dfafc.exe
  0138e750-951f-11ec-ba65-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\CopyFormat.mp3
  2⤵
  PID:3012
- C:\Users\Admin\AppData\Local\Temp\0145b890-951f-11ec-ba8b-4ea9000dfafc.exe
  0145b890-951f-11ec-ba8b-4ea9000dfafc.exe C:\\Users\Admin\Downloads\RedoUnprotect.pub
  2⤵
  PID:4796
- C:\Users\Admin\AppData\Local\Temp\01582f20-951f-11ec-bb38-4ea9000dfafc.exe
  01582f20-951f-11ec-bb38-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\data_3"
  2⤵
  PID:3248
- C:\Users\Admin\AppData\Local\Temp\0152d7f0-951f-11ec-bb18-4ea9000dfafc.exe
  0152d7f0-951f-11ec-bb18-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp"
  2⤵
  PID:4968
- C:\Users\Admin\AppData\Local\Temp\014d59b0-951f-11ec-bad7-4ea9000dfafc.exe
  014d59b0-951f-11ec-bad7-4ea9000dfafc.exe C:\\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_1a933a73-4d03-4b91-8cac-7b66f466e846
  2⤵
  PID:2204
- C:\Users\Admin\AppData\Local\Temp\01480280-951f-11ec-ba91-4ea9000dfafc.exe
  01480280-951f-11ec-ba91-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml"
  2⤵
  PID:3604
- C:\Users\Admin\AppData\Local\Temp\01557000-951f-11ec-bb28-4ea9000dfafc.exe
  01557000-951f-11ec-bb28-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\MANIFEST-000001"
  2⤵
  PID:4748
- C:\Users\Admin\AppData\Local\Temp\01654e80-951f-11ec-bbaf-4ea9000dfafc.exe
  01654e80-951f-11ec-bbaf-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
  2⤵
  PID:4120
- C:\Users\Admin\AppData\Local\Temp\01591980-951f-11ec-bb42-4ea9000dfafc.exe
  01591980-951f-11ec-bb42-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\History
  2⤵
  PID:3300
- C:\Users\Admin\AppData\Local\Temp\014e4410-951f-11ec-bae2-4ea9000dfafc.exe
  014e4410-951f-11ec-bae2-4ea9000dfafc.exe C:\\Users\Default\Recent
  2⤵
  PID:3908
- C:\Users\Admin\AppData\Local\Temp\0158a450-951f-11ec-bb3c-4ea9000dfafc.exe
  0158a450-951f-11ec-bb3c-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0"
  2⤵
  PID:6364
- C:\Users\Admin\AppData\Local\Temp\015dad60-951f-11ec-bb66-4ea9000dfafc.exe
  015dad60-951f-11ec-bb66-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Temp\Admin.bmp
  2⤵
  PID:6000
- C:\Users\Admin\AppData\Local\Temp\014ac1a0-951f-11ec-bab0-4ea9000dfafc.exe
  014ac1a0-951f-11ec-bab0-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml"
  2⤵
  PID:4024
- C:\Users\Admin\AppData\Local\Temp\01467be0-951f-11ec-ba8b-4ea9000dfafc.exe
  01467be0-951f-11ec-ba8b-4ea9000dfafc.exe C:\\Users\Admin\Downloads\SearchRedo.odt
  2⤵
  PID:4696
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb7b-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb7b-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
  2⤵
  PID:3616
- C:\Users\Admin\AppData\Local\Temp\014eb940-951f-11ec-bae7-4ea9000dfafc.exe
  014eb940-951f-11ec-bae7-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico"
  2⤵
  PID:3464
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb80-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb80-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe"
  2⤵
  PID:3244
- C:\Users\Admin\AppData\Local\Temp\01517860-951f-11ec-bb13-4ea9000dfafc.exe
  01517860-951f-11ec-bb13-4ea9000dfafc.exe C:\\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
  2⤵
  PID:5636
- C:\Users\Admin\AppData\Local\Temp\014c6f50-951f-11ec-bacf-4ea9000dfafc.exe
  014c6f50-951f-11ec-bacf-4ea9000dfafc.exe "C:\\Users\Default\AppData\Local\Application Data"
  2⤵
  PID:4568
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb6e-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb6e-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt
  2⤵
  PID:4652
- C:\Users\Admin\AppData\Local\Temp\015ac730-951f-11ec-bb55-4ea9000dfafc.exe
  015ac730-951f-11ec-bb55-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\340A10D652987DF5E54312E31F5C22F6E8DBA574
  2⤵
  PID:5048
- C:\Users\Admin\AppData\Local\Temp\0154d3c0-951f-11ec-bb23-4ea9000dfafc.exe
  0154d3c0-951f-11ec-bb23-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\LOG"
  2⤵
  PID:3228
- C:\Users\Admin\AppData\Local\Temp\015a2af0-951f-11ec-bb4e-4ea9000dfafc.exe
  015a2af0-951f-11ec-bb4e-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab"
  2⤵
  PID:3212
- C:\Users\Admin\AppData\Local\Temp\0155e530-951f-11ec-bb2a-4ea9000dfafc.exe
  0155e530-951f-11ec-bb2a-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT"
  2⤵
  PID:3356
- C:\Users\Admin\AppData\Local\Temp\015214a0-951f-11ec-bb15-4ea9000dfafc.exe
  015214a0-951f-11ec-bb15-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp"
  2⤵
  PID:5096
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb8d-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb8d-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F90F18257CBB4D84216AC1E1F3BB2C76
  2⤵
  PID:3592
- C:\Users\Admin\AppData\Local\Temp\01650060-951f-11ec-bbad-4ea9000dfafc.exe
  01650060-951f-11ec-bbad-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\CURRENT"
  2⤵
  PID:3292
- C:\Users\Admin\AppData\Local\Temp\015289d0-951f-11ec-bb16-4ea9000dfafc.exe
  015289d0-951f-11ec-bb16-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp"
  2⤵
  PID:6196
- C:\Users\Admin\AppData\Local\Temp\013df060-951f-11ec-ba67-4ea9000dfafc.exe
  013df060-951f-11ec-ba67-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\GetCompare.avi
  2⤵
  PID:3628
- C:\Users\Admin\AppData\Local\Temp\015d5f40-951f-11ec-bb65-4ea9000dfafc.exe
  015d5f40-951f-11ec-bb65-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:3360
- C:\Users\Admin\AppData\Local\Temp\014bac00-951f-11ec-babc-4ea9000dfafc.exe
  014bac00-951f-11ec-babc-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml"
  2⤵
  PID:4716
- C:\Users\Admin\AppData\Local\Temp\01576bd0-951f-11ec-bb36-4ea9000dfafc.exe
  01576bd0-951f-11ec-bb36-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp"
  2⤵
  PID:4048
- C:\Users\Admin\AppData\Local\Temp\01539b40-951f-11ec-bb1a-4ea9000dfafc.exe
  01539b40-951f-11ec-bb1a-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp"
  2⤵
  PID:5444
- C:\Users\Admin\AppData\Local\Temp\014c4840-951f-11ec-bac8-4ea9000dfafc.exe
  014c4840-951f-11ec-bac8-4ea9000dfafc.exe C:\\Users\Admin\Recent
  2⤵
  PID:4720
- C:\Users\Admin\AppData\Local\Temp\013b5850-951f-11ec-ba65-4ea9000dfafc.exe
  013b5850-951f-11ec-ba65-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml"
  2⤵
  PID:4528
- C:\Users\Admin\AppData\Local\Temp\014f2e70-951f-11ec-baf2-4ea9000dfafc.exe
  014f2e70-951f-11ec-baf2-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
  2⤵
  PID:4816
- C:\Users\Admin\AppData\Local\Temp\014d80c0-951f-11ec-bada-4ea9000dfafc.exe
  014d80c0-951f-11ec-bada-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
  2⤵
  PID:4964
- C:\Users\Admin\AppData\Local\Temp\01657590-951f-11ec-bbb0-4ea9000dfafc.exe
  01657590-951f-11ec-bbb0-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT"
  2⤵
  PID:6264
- C:\Users\Admin\AppData\Local\Temp\0161a500-951f-11ec-bb99-4ea9000dfafc.exe
  0161a500-951f-11ec-bb99-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal"
  2⤵
  PID:2860
- C:\Users\Admin\AppData\Local\Temp\014913f0-951f-11ec-baa3-4ea9000dfafc.exe
  014913f0-951f-11ec-baa3-4ea9000dfafc.exe "C:\\Users\Admin\Favorites\Microsoft Websites\Microsoft At Work.url"
  2⤵
  PID:3852
- C:\Users\Admin\AppData\Local\Temp\0158cb60-951f-11ec-bb3d-4ea9000dfafc.exe
  0158cb60-951f-11ec-bb3d-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp"
  2⤵
  PID:2172
- C:\Users\Admin\AppData\Local\Temp\015485a0-951f-11ec-bb21-4ea9000dfafc.exe
  015485a0-951f-11ec-bb21-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\CURRENT"
  2⤵
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb87-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb87-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9
  2⤵
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\01650060-951f-11ec-bbae-4ea9000dfafc.exe
  01650060-951f-11ec-bbae-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOCK"
  2⤵
  PID:3136
- C:\Users\Admin\AppData\Local\Temp\014877b0-951f-11ec-ba93-4ea9000dfafc.exe
  014877b0-951f-11ec-ba93-4ea9000dfafc.exe "C:\\Users\Admin\Favorites\Links for United States\USA.gov.url"
  2⤵
  PID:4384
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb81-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb81-4ea9000dfafc.exe "C:\\ProgramData\Start Menu"
  2⤵
  PID:5384
- C:\Users\Admin\AppData\Local\Temp\014d59b0-951f-11ec-bad6-4ea9000dfafc.exe
  014d59b0-951f-11ec-bad6-4ea9000dfafc.exe C:\\ProgramData\Favorites
  2⤵
  PID:5856
- C:\Users\Admin\AppData\Local\Temp\01648b30-951f-11ec-bbac-4ea9000dfafc.exe
  01648b30-951f-11ec-bbac-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences"
  2⤵
  PID:3904
- C:\Users\Admin\AppData\Local\Temp\01557000-951f-11ec-bb25-4ea9000dfafc.exe
  01557000-951f-11ec-bb25-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\CURRENT"
  2⤵
  PID:3480
- C:\Users\Admin\AppData\Local\Temp\0160e1b0-951f-11ec-bb97-4ea9000dfafc.exe
  0160e1b0-951f-11ec-bb97-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\the-real-index"
  2⤵
  PID:6156
- C:\Users\Admin\AppData\Local\Temp\01541070-951f-11ec-bb1e-4ea9000dfafc.exe
  01541070-951f-11ec-bb1e-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\data_0"
  2⤵
  PID:4688
- C:\Users\Admin\AppData\Local\Temp\015f3400-951f-11ec-bb90-4ea9000dfafc.exe
  015f3400-951f-11ec-bb90-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2"
  2⤵
  PID:4492
- C:\Users\Admin\AppData\Local\Temp\0148ece0-951f-11ec-baa2-4ea9000dfafc.exe
  0148ece0-951f-11ec-baa2-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab"
  2⤵
  PID:4396
- C:\Users\Admin\AppData\Local\Temp\01323090-951f-11ec-ba64-4ea9000dfafc.exe
  01323090-951f-11ec-ba64-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe"
  2⤵
  PID:5024
- C:\Users\Admin\AppData\Local\Temp\0156f6a0-951f-11ec-bb36-4ea9000dfafc.exe
  0156f6a0-951f-11ec-bb36-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal"
  2⤵
  PID:3256
- C:\Users\Admin\AppData\Local\Temp\0149d740-951f-11ec-baa8-4ea9000dfafc.exe
  0149d740-951f-11ec-baa8-4ea9000dfafc.exe C:\\Users\Admin\Music\BackupProtect.xml
  2⤵
  PID:6712
- C:\Users\Admin\AppData\Local\Temp\01560c40-951f-11ec-bb2f-4ea9000dfafc.exe
  01560c40-951f-11ec-bb2f-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp"
  2⤵
  PID:6528
- C:\Users\Admin\AppData\Local\Temp\0161a500-951f-11ec-bb9f-4ea9000dfafc.exe
  0161a500-951f-11ec-bb9f-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG"
  2⤵
  PID:6708
- C:\Users\Admin\AppData\Local\Temp\0152d7f0-951f-11ec-bb19-4ea9000dfafc.exe
  0152d7f0-951f-11ec-bb19-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index"
  2⤵
  PID:6636
- C:\Users\Admin\AppData\Local\Temp\013b5850-951f-11ec-ba66-4ea9000dfafc.exe
  013b5850-951f-11ec-ba66-4ea9000dfafc.exe C:\\Users\Admin\AppData\Roaming\EditRestart.cab
  2⤵
  PID:4660
- C:\Users\Admin\AppData\Local\Temp\01559710-951f-11ec-bb28-4ea9000dfafc.exe
  01559710-951f-11ec-bb28-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\CURRENT"
  2⤵
  PID:5984
- C:\Users\Admin\AppData\Local\Temp\012eae20-951f-11ec-ba63-4ea9000dfafc.exe
  012eae20-951f-11ec-ba63-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab"
  2⤵
  PID:3576
- C:\Users\Admin\AppData\Local\Temp\014a9a90-951f-11ec-baae-4ea9000dfafc.exe
  014a9a90-951f-11ec-baae-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi"
  2⤵
  PID:6436
- C:\Users\Admin\AppData\Local\Temp\0147db70-951f-11ec-ba90-4ea9000dfafc.exe
  0147db70-951f-11ec-ba90-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi"
  2⤵
  PID:6148
- C:\Users\Admin\AppData\Local\Temp\01646420-951f-11ec-bba8-4ea9000dfafc.exe
  01646420-951f-11ec-bba8-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State"
  2⤵
  PID:6780
- C:\Users\Admin\AppData\Local\Temp\014c6f50-951f-11ec-bacc-4ea9000dfafc.exe
  014c6f50-951f-11ec-bacc-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi"
  2⤵
  PID:6168
- C:\Users\Admin\AppData\Local\Temp\0158f270-951f-11ec-bb41-4ea9000dfafc.exe
  0158f270-951f-11ec-bb41-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt"
  2⤵
  PID:6804
- C:\Users\Admin\AppData\Local\Temp\01598eb0-951f-11ec-bb48-4ea9000dfafc.exe
  01598eb0-951f-11ec-bb48-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\guest.bmp"
  2⤵
  PID:6816
- C:\Users\Admin\AppData\Local\Temp\015b8a80-951f-11ec-bb5e-4ea9000dfafc.exe
  015b8a80-951f-11ec-bb5e-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\AEA5CF7114714145CBD9DC7C6B20B4FAA948B08D
  2⤵
  PID:6852
- C:\Users\Admin\AppData\Local\Temp\0160e1b0-951f-11ec-bb96-4ea9000dfafc.exe
  0160e1b0-951f-11ec-bb96-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index"
  2⤵
  PID:6820
- C:\Users\Admin\AppData\Local\Temp\014c9660-951f-11ec-bad4-4ea9000dfafc.exe
  014c9660-951f-11ec-bad4-4ea9000dfafc.exe "C:\\Users\Default\Application Data"
  2⤵
  PID:6860
- C:\Users\Admin\AppData\Local\Temp\015e97c0-951f-11ec-bb8d-4ea9000dfafc.exe
  015e97c0-951f-11ec-bb8d-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0"
  2⤵
  PID:6828
- C:\Users\Admin\AppData\Local\Temp\0148ece0-951f-11ec-ba9b-4ea9000dfafc.exe
  0148ece0-951f-11ec-ba9b-4ea9000dfafc.exe "C:\\Users\Admin\Favorites\MSN Websites\MSN.url"
  2⤵
  PID:6808
- C:\Users\Admin\AppData\Local\Temp\01646420-951f-11ec-bba9-4ea9000dfafc.exe
  01646420-951f-11ec-bba9-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\CURRENT"
  2⤵
  PID:6892
- C:\Users\Admin\AppData\Local\Temp\015d5f40-951f-11ec-bb64-4ea9000dfafc.exe
  015d5f40-951f-11ec-bb64-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab"
  2⤵
  PID:6924
- C:\Users\Admin\AppData\Local\Temp\015c4dd0-951f-11ec-bb5f-4ea9000dfafc.exe
  015c4dd0-951f-11ec-bb5f-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi"
  2⤵
  PID:6784
- C:\Users\Admin\AppData\Local\Temp\014f2e70-951f-11ec-baef-4ea9000dfafc.exe
  014f2e70-951f-11ec-baef-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico"
  2⤵
  PID:6916
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb88-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb88-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
  2⤵
  PID:6952
- C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba82-4ea9000dfafc.exe
  0142ab50-951f-11ec-ba82-4ea9000dfafc.exe C:\\Users\Admin\Documents\AddJoin.pub
  2⤵
  PID:6724
- C:\Users\Admin\AppData\Local\Temp\01641600-951f-11ec-bba8-4ea9000dfafc.exe
  01641600-951f-11ec-bba8-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Media History"
  2⤵
  PID:6960
- C:\Users\Admin\AppData\Local\Temp\014ee050-951f-11ec-bae7-4ea9000dfafc.exe
  014ee050-951f-11ec-bae7-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
  2⤵
  PID:7032
- C:\Users\Admin\AppData\Local\Temp\01508e00-951f-11ec-bb0a-4ea9000dfafc.exe
  01508e00-951f-11ec-bb0a-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico"
  2⤵
  PID:6976
- C:\Users\Admin\AppData\Local\Temp\015b6370-951f-11ec-bb5a-4ea9000dfafc.exe
  015b6370-951f-11ec-bb5a-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab"
  2⤵
  PID:6880
- C:\Users\Admin\AppData\Local\Temp\0155e530-951f-11ec-bb29-4ea9000dfafc.exe
  0155e530-951f-11ec-bb29-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\MANIFEST-000001"
  2⤵
  PID:6928
- C:\Users\Admin\AppData\Local\Temp\01440ae0-951f-11ec-ba87-4ea9000dfafc.exe
  01440ae0-951f-11ec-ba87-4ea9000dfafc.exe C:\\Users\Admin\Documents\ReadMeasure.doc
  2⤵
  PID:7040
- C:\Users\Admin\AppData\Local\Temp\014877b0-951f-11ec-ba95-4ea9000dfafc.exe
  014877b0-951f-11ec-ba95-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml"
  2⤵
  PID:7076
- C:\Users\Admin\AppData\Local\Temp\01648b30-951f-11ec-bbaa-4ea9000dfafc.exe
  01648b30-951f-11ec-bbaa-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG"
  2⤵
  PID:7028
- C:\Users\Admin\AppData\Local\Temp\015b6370-951f-11ec-bb58-4ea9000dfafc.exe
  015b6370-951f-11ec-bb58-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\8B9282465E6FDA0EED442D399E08CDC2B1ED5FF7
  2⤵
  PID:7052
- C:\Users\Admin\AppData\Local\Temp\015aee40-951f-11ec-bb56-4ea9000dfafc.exe
  015aee40-951f-11ec-bb56-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\4903E7ABE348ED39D98D1C844FB81A906D5ECA16
  2⤵
  PID:7064
- C:\Users\Admin\AppData\Local\Temp\015ac730-951f-11ec-bb56-4ea9000dfafc.exe
  015ac730-951f-11ec-bb56-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\4124EEF9521309B90976FD752D796AF305DA0840
  2⤵
  PID:7144
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb89-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb89-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956
  2⤵
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\0148c5d0-951f-11ec-ba98-4ea9000dfafc.exe
  0148c5d0-951f-11ec-ba98-4ea9000dfafc.exe "C:\\Users\Admin\Favorites\MSN Websites\MSN Entertainment.url"
  2⤵
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\0164d950-951f-11ec-bbad-4ea9000dfafc.exe
  0164d950-951f-11ec-bbad-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences"
  2⤵
  PID:7016
- C:\Users\Admin\AppData\Local\Temp\01598eb0-951f-11ec-bb47-4ea9000dfafc.exe
  01598eb0-951f-11ec-bb47-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U0TQR0T7\fwlink[1]"
  2⤵
  PID:2064
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb6f-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb6f-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1DE3.txt
  2⤵
  PID:7160
- C:\Users\Admin\AppData\Local\Temp\014bfa20-951f-11ec-bac0-4ea9000dfafc.exe
  014bfa20-951f-11ec-bac0-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml"
  2⤵
  PID:7132
- C:\Users\Admin\AppData\Local\Temp\01541070-951f-11ec-bb1f-4ea9000dfafc.exe
  01541070-951f-11ec-bb1f-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\data_1"
  2⤵
  PID:6520
- C:\Users\Admin\AppData\Local\Temp\01541070-951f-11ec-bb20-4ea9000dfafc.exe
  01541070-951f-11ec-bb20-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\data_2"
  2⤵
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\01626850-951f-11ec-bba1-4ea9000dfafc.exe
  01626850-951f-11ec-bba1-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1"
  2⤵
  PID:2068
- C:\Users\Admin\AppData\Local\Temp\015c26c0-951f-11ec-bb5e-4ea9000dfafc.exe
  015c26c0-951f-11ec-bb5e-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\B555235EB5230B93242A83F624CFE5AF42CB966B
  2⤵
  PID:268
- C:\Users\Admin\AppData\Local\Temp\01652770-951f-11ec-bbae-4ea9000dfafc.exe
  01652770-951f-11ec-bbae-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG"
  2⤵
  PID:2944
- C:\Users\Admin\AppData\Local\Temp\01362830-951f-11ec-ba64-4ea9000dfafc.exe
  01362830-951f-11ec-ba64-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Sun\Java\jdk1.7.0_80_x64\ss170800.cab
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\015d5f40-951f-11ec-bb63-4ea9000dfafc.exe
  015d5f40-951f-11ec-bb63-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi"
  2⤵
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\01440ae0-951f-11ec-ba88-4ea9000dfafc.exe
  01440ae0-951f-11ec-ba88-4ea9000dfafc.exe C:\\Users\Admin\Documents\Recently.docx
  2⤵
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\0136eb80-951f-11ec-ba64-4ea9000dfafc.exe
  0136eb80-951f-11ec-ba64-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab"
  2⤵
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\0150dc20-951f-11ec-bb0f-4ea9000dfafc.exe
  0150dc20-951f-11ec-bb0f-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp"
  2⤵
  PID:2128
- C:\Users\Admin\AppData\Local\Temp\015aa020-951f-11ec-bb54-4ea9000dfafc.exe
  015aa020-951f-11ec-bb54-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\0FC25877B42B91EC00B7CCBA2ED45B52587179BC
  2⤵
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\01510330-951f-11ec-bb0f-4ea9000dfafc.exe
  01510330-951f-11ec-bb0f-4ea9000dfafc.exe C:\\ProgramData\Microsoft\IdentityCRL\ppcrlui.dll
  2⤵
  PID:2964
- C:\Users\Admin\AppData\Local\Temp\01568170-951f-11ec-bb34-4ea9000dfafc.exe
  01568170-951f-11ec-bb34-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity"
  2⤵
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\01568170-951f-11ec-bb32-4ea9000dfafc.exe
  01568170-951f-11ec-bb32-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp"
  2⤵
  PID:6692
- C:\Users\Admin\AppData\Local\Temp\015d3830-951f-11ec-bb61-4ea9000dfafc.exe
  015d3830-951f-11ec-bb61-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab"
  2⤵
  PID:6676
- C:\Users\Admin\AppData\Local\Temp\015cc300-951f-11ec-bb60-4ea9000dfafc.exe
  015cc300-951f-11ec-bb60-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab"
  2⤵
  PID:2180
- C:\Users\Admin\AppData\Local\Temp\01382400-951f-11ec-ba64-4ea9000dfafc.exe
  01382400-951f-11ec-ba64-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml"
  2⤵
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\0160baa0-951f-11ec-bb94-4ea9000dfafc.exe
  0160baa0-951f-11ec-bb94-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
  2⤵
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\01646420-951f-11ec-bbaa-4ea9000dfafc.exe
  01646420-951f-11ec-bbaa-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOCK"
  2⤵
  PID:2164
- C:\Users\Admin\AppData\Local\Temp\0154acb0-951f-11ec-bb22-4ea9000dfafc.exe
  0154acb0-951f-11ec-bb22-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\LOCK"
  2⤵
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\015b6370-951f-11ec-bb59-4ea9000dfafc.exe
  015b6370-951f-11ec-bb59-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe"
  2⤵
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\015a7910-951f-11ec-bb4e-4ea9000dfafc.exe
  015a7910-951f-11ec-bb4e-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi"
  2⤵
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\01369d60-951f-11ec-ba64-4ea9000dfafc.exe
  01369d60-951f-11ec-ba64-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Sun\Java\jdk1.7.0_80_x64\st170800.cab
  2⤵
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\014c2130-951f-11ec-bac5-4ea9000dfafc.exe
  014c2130-951f-11ec-bac5-4ea9000dfafc.exe C:\\Users\Admin\Pictures\SwitchDeny.jpg
  2⤵
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\0158a450-951f-11ec-bb3b-4ea9000dfafc.exe
  0158a450-951f-11ec-bb3b-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1E44.txt
  2⤵
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\0159b5c0-951f-11ec-bb49-4ea9000dfafc.exe
  0159b5c0-951f-11ec-bb49-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml"
  2⤵
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\0146ca00-951f-11ec-ba8d-4ea9000dfafc.exe
  0146ca00-951f-11ec-ba8d-4ea9000dfafc.exe C:\\Users\Admin\Downloads\SkipConvertTo.dll
  2⤵
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\014877b0-951f-11ec-ba96-4ea9000dfafc.exe
  014877b0-951f-11ec-ba96-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml"
  2⤵
  PID:536
- C:\Users\Admin\AppData\Local\Temp\015b3c60-951f-11ec-bb57-4ea9000dfafc.exe
  015b3c60-951f-11ec-bb57-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\570D8585930881B4F2E8104754C43FB911F396CC
  2⤵
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\014b5de0-951f-11ec-bab8-4ea9000dfafc.exe
  014b5de0-951f-11ec-bab8-4ea9000dfafc.exe C:\\Users\Admin\Pictures\ConnectConvertTo.ico
  2⤵
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\0150dc20-951f-11ec-bb0d-4ea9000dfafc.exe
  0150dc20-951f-11ec-bb0d-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
  2⤵
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\01594090-951f-11ec-bb46-4ea9000dfafc.exe
  01594090-951f-11ec-bb46-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp"
  2⤵
  PID:2080
- C:\Users\Admin\AppData\Local\Temp\014bfa20-951f-11ec-bac2-4ea9000dfafc.exe
  014bfa20-951f-11ec-bac2-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi"
  2⤵
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb73-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb73-4ea9000dfafc.exe C:\\Users\Admin\AppData\Local\Temp\jawshtml.html
  2⤵
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\0150b510-951f-11ec-bb0a-4ea9000dfafc.exe
  0150b510-951f-11ec-bb0a-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_.ico"
  2⤵
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\01591980-951f-11ec-bb46-4ea9000dfafc.exe
  01591980-951f-11ec-bb46-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PAHLSM1Y\fwlink[1]"
  2⤵
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\01563350-951f-11ec-bb2f-4ea9000dfafc.exe
  01563350-951f-11ec-bb2f-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Top Sites-journal"
  2⤵
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\01560c40-951f-11ec-bb2b-4ea9000dfafc.exe
  01560c40-951f-11ec-bb2b-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG"
  2⤵
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\0146a2f0-951f-11ec-ba8b-4ea9000dfafc.exe
  0146a2f0-951f-11ec-ba8b-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml"
  2⤵
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb85-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb85-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
  2⤵
  PID:2236
- C:\Users\Admin\AppData\Local\Temp\014bac00-951f-11ec-babb-4ea9000dfafc.exe
  014bac00-951f-11ec-babb-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi"
  2⤵
  PID:2460
- C:\Users\Admin\AppData\Local\Temp\01568170-951f-11ec-bb2f-4ea9000dfafc.exe
  01568170-951f-11ec-bb2f-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp"
  2⤵
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\01560c40-951f-11ec-bb2e-4ea9000dfafc.exe
  01560c40-951f-11ec-bb2e-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp"
  2⤵
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\015e49a0-951f-11ec-bb77-4ea9000dfafc.exe
  015e49a0-951f-11ec-bb77-4ea9000dfafc.exe C:\\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
  2⤵
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\015d5f40-951f-11ec-bb66-4ea9000dfafc.exe
  015d5f40-951f-11ec-bb66-4ea9000dfafc.exe "C:\\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi"
  2⤵
  PID:2364
- C:\Users\Admin\AppData\Local\Temp\01523bb0-951f-11ec-bb15-4ea9000dfafc.exe
  01523bb0-951f-11ec-bb15-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG"
  2⤵
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\0155be20-951f-11ec-bb29-4ea9000dfafc.exe
  0155be20-951f-11ec-bb29-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\LOG"
  2⤵
  PID:6680
- C:\Users\Admin\AppData\Local\Temp\0158f270-951f-11ec-bb3f-4ea9000dfafc.exe
  0158f270-951f-11ec-bb3f-4ea9000dfafc.exe "C:\\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3"
  2⤵
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\0153c250-951f-11ec-bb1a-4ea9000dfafc.exe
  0153c250-951f-11ec-bb1a-4ea9000dfafc.exe "C:\\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp"
  2⤵
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\014ae8b0-951f-11ec-bab1-4ea9000dfafc.exe
  014ae8b0-951f-11ec-bab1-4ea9000dfafc.exe "C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll"
  2⤵
  PID:2644
- C:\Windows\system32\timeout.exe
  timeout /t 30 && C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\43564aa0-94f8-11ec-9d1d-005056a01a83.exe
  2⤵
  - Delays execution with timeout.exe
  PID:2740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0128e1c0-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\0128e1c0-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\012a6860-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\012a6860-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\012add90-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\012add90-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\012d9cb0-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\012d9cb0-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\012e11e0-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\012e11e0-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\012e11e0-951f-11ec-ba63-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\012e11e0-951f-11ec-ba63-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\0130f810-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\0130f810-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\01314630-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\01314630-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\0132a5c0-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\0132a5c0-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\01371290-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\01371290-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\013787c0-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\013787c0-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\013b5850-951f-11ec-ba67-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\013b5850-951f-11ec-ba67-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\013ba670-951f-11ec-ba67-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\013ba670-951f-11ec-ba67-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\013eb3b0-951f-11ec-ba67-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\013eb3b0-951f-11ec-ba67-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba76-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba76-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba77-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba77-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\0128e1c0-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\0128e1c0-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\012a6860-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\012a6860-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\012add90-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\012add90-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\012d9cb0-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\012d9cb0-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\012e11e0-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\012e11e0-951f-11ec-ba62-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\012e11e0-951f-11ec-ba63-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\012e11e0-951f-11ec-ba63-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\0130f810-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\0130f810-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\01314630-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\01314630-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\0132a5c0-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\0132a5c0-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\01371290-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\01371290-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\013787c0-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\013787c0-951f-11ec-ba64-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\013b5850-951f-11ec-ba67-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\013b5850-951f-11ec-ba67-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\013ba670-951f-11ec-ba67-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\013ba670-951f-11ec-ba67-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\013eb3b0-951f-11ec-ba67-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\013eb3b0-951f-11ec-ba67-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba76-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba76-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba77-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit
\Users\Admin\AppData\Local\Temp\0142ab50-951f-11ec-ba77-4ea9000dfafc.exe

MD5
d5d2c4ac6c724cd63b69ca054713e278

SHA1
f32d791ec9e6385a91b45942c230f52aff1626df

SHA256
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SHA512
9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Download Submit