8b4747aa987fa7da30a7108189508b38b9c1728a2712ab3604e77b4787634943

max time kernel
1800s
max time network
1708s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2023, 00:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

target.ps1
Size

6B
MD5

86f3ddb420fd8cd4e5e384a9398a60ed
SHA1

725352248d6cf3786bc5ee2a1923b5d276aef977
SHA256

8b4747aa987fa7da30a7108189508b38b9c1728a2712ab3604e77b4787634943
SHA512

1b25d77ad9e1666159674fd243d3842df84170b559ef22adc11ebc03dbd12fcd1dcc594230790c0a26590000ec45236a18c8324c70a69bf7a5eca8585679c644

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
276	9212	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
4008	winrar-x64-622.exe
2844	winrar-x64-622.exe
3104	winrar-x64-622 (1).exe
5108	python-3.11.4-amd64.exe
3412	python-3.11.4-amd64.exe
2588	python-3.11.4-amd64.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	taskmgr.exe
3412	python-3.11.4-amd64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{3d45edf4-44bb-483f-9e08-43c38c81e118} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{3d45edf4-44bb-483f-9e08-43c38c81e118}\\python-3.11.4-amd64.exe\" /burn.runonce"	python-3.11.4-amd64.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 42 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5dbb96.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5DE4.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FEF98C01-0C8A-4A0F-88AE-F164A787286C}	msiexec.exe
File created	C:\Windows\Installer\e5dbb8b.msi	msiexec.exe
File created	C:\Windows\Installer\e5dbb8c.msi	msiexec.exe
File created	C:\Windows\Installer\e5dbb90.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{52DE4CC1-22CF-498B-B50F-E66877E4850B}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e5dbb78.msi	msiexec.exe
File created	C:\Windows\Installer\e5dbb81.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7EB8F17E-4AA7-4F9E-B908-42A28799523A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC5D4.tmp	msiexec.exe
File created	C:\Windows\Installer\e5dbb73.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5dbb73.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5dbb82.msi	msiexec.exe
File created	C:\Windows\Installer\e5dbb91.msi	msiexec.exe
File created	C:\Windows\Installer\e5dbb95.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DA4B94FB-D8BB-4DB9-85A7-FA5067A5CEDF}	msiexec.exe
File created	C:\Windows\Installer\e5dbb7d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5dbb7d.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1C6E1CE6-CA4E-4B38-BAFF-32BD94DBFFEF}	msiexec.exe
File opened for modification	C:\Windows\Installer\e5dbb8c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5652.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5dbb78.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID835.tmp	msiexec.exe
File created	C:\Windows\Installer\e5dbb86.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF40B.tmp	msiexec.exe
File created	C:\Windows\Installer\e5dbb87.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5dbb87.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FABA3DAC-829C-4C83-BC27-F3AFFD27B465}	msiexec.exe
File created	C:\Windows\Installer\e5dbb77.msi	msiexec.exe
File created	C:\Windows\Installer\e5dbb7c.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{90A235DF-4CF1-415D-AD85-6AC578B5DFB4}	msiexec.exe
File opened for modification	C:\Windows\Installer\e5dbb91.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5dbb96.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A32FE961-D579-4E46-B3D6-0B777F8F51E8}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC15F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEDE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5dbb82.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1754.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133353245155017605"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Modifies registry class 55 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\CPython-3.11\DisplayName = "Python 3.11.4 (64-bit)"	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{DA4B94FB-D8BB-4DB9-85A7-FA5067A5CEDF}\ = "{DA4B94FB-D8BB-4DB9-85A7-FA5067A5CEDF}"	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{7EB8F17E-4AA7-4F9E-B908-42A28799523A}\DisplayName = "Python 3.11.4 Standard Library (64-bit)"	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{A32FE961-D579-4E46-B3D6-0B777F8F51E8}\Version = "3.11.4150.0"	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{52DE4CC1-22CF-498B-B50F-E66877E4850B}\ = "{52DE4CC1-22CF-498B-B50F-E66877E4850B}"	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{FEF98C01-0C8A-4A0F-88AE-F164A787286C}\DisplayName = "Python 3.11.4 Core Interpreter (64-bit)"	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{DA4B94FB-D8BB-4DB9-85A7-FA5067A5CEDF}\Dependents	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{1C6E1CE6-CA4E-4B38-BAFF-32BD94DBFFEF}\Dependents	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{FABA3DAC-829C-4C83-BC27-F3AFFD27B465}	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{FABA3DAC-829C-4C83-BC27-F3AFFD27B465}\Version = "3.11.4150.0"	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{FABA3DAC-829C-4C83-BC27-F3AFFD27B465}\DisplayName = "Python 3.11.4 Documentation (64-bit)"	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{90A235DF-4CF1-415D-AD85-6AC578B5DFB4}	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\CPython-3.11\ = "{3d45edf4-44bb-483f-9e08-43c38c81e118}"	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{7EB8F17E-4AA7-4F9E-B908-42A28799523A}\ = "{7EB8F17E-4AA7-4F9E-B908-42A28799523A}"	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\CPython-3.11	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\CPython-3.11\Dependents	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{1C6E1CE6-CA4E-4B38-BAFF-32BD94DBFFEF}\Version = "3.11.4150.0"	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{FABA3DAC-829C-4C83-BC27-F3AFFD27B465}\ = "{FABA3DAC-829C-4C83-BC27-F3AFFD27B465}"	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{90A235DF-4CF1-415D-AD85-6AC578B5DFB4}\Dependents	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\CPython-3.11\Version = "3.11.4150.0"	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{FEF98C01-0C8A-4A0F-88AE-F164A787286C}\ = "{FEF98C01-0C8A-4A0F-88AE-F164A787286C}"	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{DA4B94FB-D8BB-4DB9-85A7-FA5067A5CEDF}\Version = "3.11.4150.0"	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{1C6E1CE6-CA4E-4B38-BAFF-32BD94DBFFEF}\Dependents\{3d45edf4-44bb-483f-9e08-43c38c81e118}	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{DA4B94FB-D8BB-4DB9-85A7-FA5067A5CEDF}\Dependents\{3d45edf4-44bb-483f-9e08-43c38c81e118}	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{7EB8F17E-4AA7-4F9E-B908-42A28799523A}\Dependents	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{52DE4CC1-22CF-498B-B50F-E66877E4850B}	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{DA4B94FB-D8BB-4DB9-85A7-FA5067A5CEDF}	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{1C6E1CE6-CA4E-4B38-BAFF-32BD94DBFFEF}\DisplayName = "Python 3.11.4 Development Libraries (64-bit)"	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{7EB8F17E-4AA7-4F9E-B908-42A28799523A}	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{7EB8F17E-4AA7-4F9E-B908-42A28799523A}\Version = "3.11.4150.0"	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{52DE4CC1-22CF-498B-B50F-E66877E4850B}\Dependents\{3d45edf4-44bb-483f-9e08-43c38c81e118}	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{FEF98C01-0C8A-4A0F-88AE-F164A787286C}\Dependents	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{FABA3DAC-829C-4C83-BC27-F3AFFD27B465}\Dependents\{3d45edf4-44bb-483f-9e08-43c38c81e118}	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{A32FE961-D579-4E46-B3D6-0B777F8F51E8}\DisplayName = "Python 3.11.4 Tcl/Tk Support (64-bit)"	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{1C6E1CE6-CA4E-4B38-BAFF-32BD94DBFFEF}\ = "{1C6E1CE6-CA4E-4B38-BAFF-32BD94DBFFEF}"	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{52DE4CC1-22CF-498B-B50F-E66877E4850B}\DisplayName = "Python 3.11.4 Test Suite (64-bit)"	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{52DE4CC1-22CF-498B-B50F-E66877E4850B}\Dependents	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{FABA3DAC-829C-4C83-BC27-F3AFFD27B465}\Dependents	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{A32FE961-D579-4E46-B3D6-0B777F8F51E8}\ = "{A32FE961-D579-4E46-B3D6-0B777F8F51E8}"	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\CPython-3.11\Dependents\{3d45edf4-44bb-483f-9e08-43c38c81e118}	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{FEF98C01-0C8A-4A0F-88AE-F164A787286C}\Version = "3.11.4150.0"	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{FEF98C01-0C8A-4A0F-88AE-F164A787286C}\Dependents\{3d45edf4-44bb-483f-9e08-43c38c81e118}	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{1C6E1CE6-CA4E-4B38-BAFF-32BD94DBFFEF}	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{90A235DF-4CF1-415D-AD85-6AC578B5DFB4}\Dependents\{3d45edf4-44bb-483f-9e08-43c38c81e118}	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{FEF98C01-0C8A-4A0F-88AE-F164A787286C}	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{7EB8F17E-4AA7-4F9E-B908-42A28799523A}\Dependents\{3d45edf4-44bb-483f-9e08-43c38c81e118}	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{52DE4CC1-22CF-498B-B50F-E66877E4850B}\Version = "3.11.4150.0"	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{90A235DF-4CF1-415D-AD85-6AC578B5DFB4}\Version = "3.11.4150.0"	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{90A235DF-4CF1-415D-AD85-6AC578B5DFB4}\DisplayName = "Python 3.11.4 Utility Scripts (64-bit)"	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{A32FE961-D579-4E46-B3D6-0B777F8F51E8}	python-3.11.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{DA4B94FB-D8BB-4DB9-85A7-FA5067A5CEDF}\DisplayName = "Python 3.11.4 Executables (64-bit)"	python-3.11.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Installer\Dependencies\{90A235DF-4CF1-415D-AD85-6AC578B5DFB4}\ = "{90A235DF-4CF1-415D-AD85-6AC578B5DFB4}"	python-3.11.4-amd64.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
832	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3236	powershell.exe
3236	powershell.exe
1800	chrome.exe
1800	chrome.exe
4688	chrome.exe
4688	chrome.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1956	taskmgr.exe
544	WScript.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4008	winrar-x64-622.exe
4008	winrar-x64-622.exe
2844	winrar-x64-622.exe
2844	winrar-x64-622.exe
3104	winrar-x64-622 (1).exe
3104	winrar-x64-622 (1).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4784	1800	chrome.exe	97
PID 1800 wrote to memory of 4784	1800	chrome.exe	97
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3612	1800	chrome.exe	98
PID 1800 wrote to memory of 3996	1800	chrome.exe	99
PID 1800 wrote to memory of 3996	1800	chrome.exe	99
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100
PID 1800 wrote to memory of 4824	1800	chrome.exe	100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\target.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd2fe59758,0x7ffd2fe59768,0x7ffd2fe59778
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:2
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2932 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4664 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5132 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5116 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3416 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5352 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5104 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2980 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5704 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5872 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5992 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6092 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4732 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5160 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2540 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5652 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4792 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6164 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:1196
- C:\Users\Admin\Downloads\winrar-x64-622.exe
  "C:\Users\Admin\Downloads\winrar-x64-622.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5444 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4688
- C:\Users\Admin\Downloads\winrar-x64-622.exe
  "C:\Users\Admin\Downloads\winrar-x64-622.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=1276 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=1064 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=6136 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5716 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5436 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6384 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6336 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:1860
- C:\Users\Admin\Downloads\winrar-x64-622 (1).exe
  "C:\Users\Admin\Downloads\winrar-x64-622 (1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=5088 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=6404 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6092 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1732 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:3228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=6488 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=6300 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2796 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6252 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=3600 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=6272 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6224 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6792 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=6644 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=6856 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=7036 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6944 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6656 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6796 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:3928
- C:\Users\Admin\Downloads\python-3.11.4-amd64.exe
  "C:\Users\Admin\Downloads\python-3.11.4-amd64.exe"
  2⤵
  - Executes dropped EXE
  PID:5108
- - C:\Windows\Temp\{396940B9-318D-4364-9E14-E34205EA9F6D}\.cr\python-3.11.4-amd64.exe
    "C:\Windows\Temp\{396940B9-318D-4364-9E14-E34205EA9F6D}\.cr\python-3.11.4-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.11.4-amd64.exe" -burn.filehandle.attached=580 -burn.filehandle.self=556
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    PID:3412
  - - C:\Windows\Temp\{6F864CD4-D534-4EAF-9666-C8D566ABCD93}\.be\python-3.11.4-amd64.exe
      "C:\Windows\Temp\{6F864CD4-D534-4EAF-9666-C8D566ABCD93}\.be\python-3.11.4-amd64.exe" -q -burn.elevated BurnPipe.{91B07A69-1C26-4FDD-8E3A-B7C8D6D58E54} {18219ED9-6209-4BBD-AA0A-DCB9F27EA389} 3412
      4⤵
      Executes dropped EXE
      PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3944 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 --field-trial-handle=1928,i,13074201342180842857,1907257045514695005,131072 /prefetch:8
  2⤵
  PID:7312

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4508

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1956

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\53e947d420f144d286ebb1bac534236b /t 4636 /p 2844
1⤵
PID:1196

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\bfc47f41a9f64d0a8c843464fb258453 /t 2448 /p 3104
1⤵
PID:4688

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap11615:80:7zEvent9739
1⤵
PID:4008

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4240

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\VCoils-main\Virus Coils\VbNote.vbs"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:544
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5104
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4176
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1984
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3832
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3104
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3780
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2360
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1052
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4852
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3592
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2336
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3432
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1400
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2924
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2908
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2320
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5136
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5184
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5224
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5260
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5292
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5316
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5356
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5392
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5424
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5444
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5480
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5512
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5552
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5580
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5604
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5648
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5696
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5720
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5756
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5792
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5872
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5912
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5952
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5992
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6016
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6056
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6088
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6132
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5328
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5564
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5712
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6036
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6148
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6184
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6220
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6260
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6304
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6324
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6336
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6376
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6412
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6444
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6476
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6496
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6520
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6560
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6596
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6616
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6644
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6700
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6732
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6760
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6812
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6840
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6868
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6904
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6940
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6980
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7016
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7036
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7064
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7124
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7152
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4904
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6504
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6832
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6424
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7180
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7216
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7244
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7284
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7328
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7376
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7404
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7436
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7456
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7488
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7536
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7564
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7600
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7632
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7656
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7688
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7728
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7748
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7788
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7824
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7860
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7888
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7920
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7952
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7984
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8004
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8040
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8068
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8104
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8156
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8180
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7228
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7524
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7756
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8016
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1196
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8220
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8252
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8280
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8316
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8348
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8368
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8404
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8436
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8456
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8496
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8532
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8564
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8600
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8636
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8692
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8716
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8748
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8868
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8908
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8940
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9084
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8376
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1484
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8648
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3404
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8884
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8876
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8956
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9032
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9072
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9128
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9192
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8548
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3188
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9260
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9292
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9352
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9388
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9420
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9440
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9496
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9532
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9572
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9600
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9640
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9668
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9712
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9732
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9776
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9800
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9848
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9880
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9904
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9956
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10008
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10060
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10080
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10120
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10168
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10208
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9148
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9236
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9300
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9456
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9664
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9864
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9952
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9020
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10228
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9764
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10256
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10288
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10312
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10352
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10384
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10404
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10436
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10468
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10528
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10548
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10572
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10604
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10644
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10688
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10756
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10784
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10816
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10856
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10900
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10936
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10964
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11000
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11040
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11076
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11148
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11184
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11204
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11260
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10464
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10680
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10704
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10920
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1140
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9016
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11272
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11320
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11360
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11396
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11436
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11468
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11492
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11528
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11572
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11624
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11664
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11692
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11732
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11772
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11796
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11832
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11856
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11876
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11928
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12036
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3120
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12096
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12264
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11996
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4328
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11892
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12160
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12284
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11952
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12124
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4288
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4216
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12320
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12356
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12404
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12432
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12460
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12476
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12520
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12568
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12596
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12616
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12656
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12696
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12716
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12744
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12772
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12820
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12836
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12872
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12916
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12940
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12968
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13008
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13036
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13068
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13100
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13128
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13172
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13196
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13224
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13280
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13300
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12304
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12484
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1328
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12848
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13204
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12576
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13340
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13360
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13384
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13420
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13452
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13500
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13516
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13552
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13604
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13632
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13664
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13708
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13728
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13764
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13792
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13820
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13880
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13900
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13924
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13976
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14020
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14184
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14236
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14320
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13436
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14104
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14140
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14284
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14076
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14156
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13644
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13508
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14244
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14292
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14420
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14484
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14612
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14836
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14924
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15000
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15104
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15148
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15196
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15280
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14112
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14536
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14568
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4144
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14688
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14748
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15020
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15316
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15348
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13348
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14592
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2684
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14740
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14992
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15216
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14092
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14440
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2584
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14920
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15324
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15100
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15036
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15120
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14640
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14912
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14348
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15072
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14016
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:14408
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15276
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15312
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15388
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15420
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15452
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15484
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15532
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15576
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15612
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15648
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15708
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15728
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15752
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15792
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15808
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15848
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15888
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15920
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15944
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15976
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16004
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16048
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16064
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16124
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16152
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16188
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16208
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16240
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16272
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16296
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16328
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16372
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15468
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15628
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15764
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15896
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16196
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16380
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:15540
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16424
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16452
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16484
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16528
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16548
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16580
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16612
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16636
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16672
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16704
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16732
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16748
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16784
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16836
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16876
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16904
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16932
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16972
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17000
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17032
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17064
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17084
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17116
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17140
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17180
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17224
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17260
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17288
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17320
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17364
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17388
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16460
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16680
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17012
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17188
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:16544
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17436
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17468
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17484
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17520
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17572
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17712
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17784
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17860
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17940
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18032
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18124
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18280
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18380
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17604
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17700
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17892
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18104
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18296
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17624
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17780
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17984
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:764
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18216
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18344
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17832
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18160
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18428
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17804
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18012
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18228
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17936
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18336
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18220
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18448
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18604
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18696
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18808
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18896
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18964
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19128
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19276
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19404
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18188
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:17880
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18640
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18784
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18932
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19124
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19260
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19364
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18544
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18600
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18776
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19064
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19176
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18272
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18588
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18824
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19092
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19168
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19392
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18584
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18884
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19180
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18468
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18780
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18028
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19428
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19048
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18440
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4964
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19372
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18828
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:18816
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19488
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19520
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19552
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19572
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19616
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19648
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19680
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19712
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19744
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19764
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19792
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19852
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19888
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19932
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19964
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20016
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20036
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20068
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20092
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20120
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20148
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20196
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20216
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20240
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20288
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20324
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20352
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20388
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20412
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20452
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19476
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19660
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19840
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19984
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20228
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:19560
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20496
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20524
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20552
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20604
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20624
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20636
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20692
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20720
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20752
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20788
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20840
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20916
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21028
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21148
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21224
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21304
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21404
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20704
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20928
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20972
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21096
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21260
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21340
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21464
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20784
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21360
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20796
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21192
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21292
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21432
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21068
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21320
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20028
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21376
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21208
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21020
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21564
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21680
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21832
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21920
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22048
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22140
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22184
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22244
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22292
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22348
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22372
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22416
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22444
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22500
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22516
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:20616
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21572
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21632
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21692
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21724
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21760
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21780
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21716
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21904
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21912
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:21980
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22080
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22112
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22208
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22400
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2124
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11020
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22572
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22616
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22636
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22668
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22700
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22732
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22764
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22788
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22828
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22860
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22892
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22924
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22956
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22988
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23012
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23056
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23084
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23116
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23148
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23180
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23204
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23256
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23276
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23308
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23340
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23372
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23388
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23436
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23472
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23504
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23536
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22632
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:22944
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23192
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23412
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23228
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23576
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23616
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23648
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23680
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23724
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23736
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23764
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23812
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23840
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23872
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23904
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23924
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23960
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24000
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24032
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24064
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24096
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24128
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24160
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24192
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24224
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24256
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24288
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24320
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24352
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24376
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24420
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24448
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24468
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24516
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24544
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23532
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23756
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24028
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24180
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24332
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24540
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24592
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24632
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24688
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24756
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24808
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24828
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24856
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24908
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24932
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24968
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25000
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25024
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25056
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25164
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25208
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25284
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25396
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25476
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:23868
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24684
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24840
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25140
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25224
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25276
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25292
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25360
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25452
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25436
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25504
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25560
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:24764
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5828
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5804
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25080
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25244
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25496
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25620
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25668
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25688
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25712
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25752
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25788
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25812
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25856
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25884
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25908
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25940
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25968
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26024
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26044
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26076
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26100
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26136
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26164
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26216
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26236
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26268
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26300
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26332
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26368
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26396
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26440
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26460
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26504
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26528
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26556
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26600
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26620
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25876
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26112
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26312
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26452
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:25928
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26628
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26660
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:26704

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:8756

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
PID:9212

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
PID:26848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5dbb76.rbs

Filesize
8KB

MD5
23906e9461fd3d2cae1116237d1b4c96

SHA1
5325011e029688c9a7169d7e15554c2d3aff5135

SHA256
2917a783f0237d005605a54696b588a3929b297672b230a24a343cc51622ec11

SHA512
2f6ac82688470e6426d4c160171d8a23eaf43bb2b8cab81b05b00247c9d026a9a813c959136b47072cea9cb4aae3444f3b94837634f1e89b6ee816dc86fd018e

Download Submit
C:\Config.Msi\e5dbb7b.rbs

Filesize
12KB

MD5
9f1192e22a1e4048b02cc87801c9cb3f

SHA1
94247a4b2ade172d3af25edda72467cde5495e83

SHA256
602946e8aa05d0fa5a3b28632749ac3095f40eff0735399c347b11fd779adb3e

SHA512
1b8a733f89a5626e00218df2e098461dd9b708e7bdc7488fa3cdad4e9ac7299c879a5c64b752121816c579466cfc0979b867e83f9b262d1244106c52708f210c

Download Submit
C:\Config.Msi\e5dbb80.rbs

Filesize
45KB

MD5
b7c49d35d9dd0867d6b9b2ee8718e764

SHA1
19d26e2f686d7b6abcd51a8a95dee97b8224b727

SHA256
d20cc3ed626c19e0e9c3c7212f52b4c45431045525c5f33106b7e81bd658013e

SHA512
12b16393b94b091ba5a58900d6b49699c7e61bdb8479b92405b4f72d346169aa2b1cf1694f723075b37c25b5bbea11111d9e48d8a35348f595ae451670aa28f3

Download Submit
C:\Config.Msi\e5dbb85.rbs

Filesize
181KB

MD5
b088aab9ff7cca7fa09831d141d3d624

SHA1
edfbdc7fadb27ab326b46818cb6a6206abe98a08

SHA256
7d3257251b7ca90940de701fe781fb385f3cff3aae387903881837c11ef0fb3e

SHA512
bdbb86c7878706e91dcca84e7a54c561f5b9f24e700febf461b5f38eaecf2f6d6ef5ce7b6b99257a59ee2708d5e762c3c357371bb3f7a51649cd7439212fc3d5

Download Submit
C:\Config.Msi\e5dbb8a.rbs

Filesize
290KB

MD5
7215df984b58e5138f33a3b592135ef3

SHA1
dc28bb6449224aef2bb1e42a7bf3d24aac31373c

SHA256
00a6e3d3f9f3532ea38f46e250fce25e7a647471fb1628df7f5ab65d5f4473cf

SHA512
fbeba4fff7441ebaceba0c41ed96ff9cbfae0aa8058fe260f7b42574c8b005d4831d4b335aafcaff0b648cce6cc0149e28924bbf7e56b3e307fc27798ea2319e

Download Submit
C:\Config.Msi\e5dbb8f.rbs

Filesize
133KB

MD5
ac03248e878229c019ade8cd99d798f1

SHA1
b45d33a0c989fe5b6b74760252bb1d5fca8da669

SHA256
ada0c13e717829d608202ed7fc305db19584bfd54ef384f8c55e8d9939fc57af

SHA512
3238ba77a1d8193fe8c7c3e5b2a23fbe73dd96c8836bf57fab2d5ae1a328fdd7f028bcb261673c67e2d3857ba82a83cf1dd9e729dbfb1de52721e009bd84cad2

Download Submit
C:\Config.Msi\e5dbb94.rbs

Filesize
27KB

MD5
90efc16fd8e670c77bebccb1f50ac010

SHA1
60cd746316d614812458ea29e993c5a16fee3d0a

SHA256
9d6b7d94953bdd11fa7dca51c87ca7ae0f4d6749d6c90cd24fe695193e1b5552

SHA512
3c9d765155d34306bd34cde07832c9796afce704f93ffc7c84404fbec929966aee3efa15ea4e0170ed0373aab95246cfbddd0b917fb8238f4f93cada4cf17039

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
54KB

MD5
19856c0bc88c8b0fddbd9fadb5b2d63a

SHA1
6d48401c593e53200ac03a0f36409a1e66c4feff

SHA256
e7b9666f876a2db4da6693852fd59014dbed1f4e194a11d08b41f7de532c4068

SHA512
6a3b66403344d8375af1fad5ac7e7c121dbf789da7fa8ca45137ec62e30e3c6a16848c2b00f3f36a22e98d71a89be3ff45bcbf47829a623466c4e64493d120a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
324KB

MD5
7658287ed95f4677d1eff05e9bfe606f

SHA1
34edd827b93eecf2fa3c62ff532ae9eafd042c96

SHA256
7af3a37a56bdbdd07bf466b08f4a98682ee8e51910d22b92b401c3c2a00ab3f6

SHA512
2bf1b2c7aa3298b01036ef389ecfcd3891fcab03b7a50261be9d419ac23b9f963515e9f1bb1969bebc2095d95ebc9fc1b3cd0f36bf9ad08dca73eac6950c7719

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
84KB

MD5
d3e329beaacfb4b7cd9d1e28dc64be52

SHA1
d1a498055ab50a110830631123ad65d9cc31f97b

SHA256
328fad673490b776aeed5020f6fa980dbf4285687b59808678821ca7896ce4f7

SHA512
b2bf05f15345b52ffbe7de41b42c54774dfd4e50783ee34e6e8fec3d54190eb1a30ef59b028fa8e753d94d99aa6fedf0237e2e2200bcdff37748cc8df635967b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
71KB

MD5
ef5fda86a03c7d33d09c549fac55703b

SHA1
c978d8f28eae32a05fb117e29bd1f114add03ef8

SHA256
a907db059a3beb604c46bbaaffd9b1c763db1e1eccef2626355ebe9ced9d2ceb

SHA512
00d1e333af813291ceb436f76cb6bd75877c73a8deb71366272e0c5c94b59a25f697cc6c88f9f47815db7c617aae4a1ae09999ff463cf3f30450d685c5bc20b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
39KB

MD5
500ecdda9ad3e919a1f41c1588266a1b

SHA1
d5ddf92dc08284a48701a4d3555590bda05f77e0

SHA256
caad3feace9086d27e006d538d2daf4dd50e2b33307232a7db6d5f8c48f73b37

SHA512
5e47a0d0721ec0f9adb5a439ffc98c1b4da780e74270332313f8350f228bdb919d32c4812c6ede84ebae3ead1342c2eaf4c73f4dfca5a87e8887e1b5913c0d9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000030

Filesize
30KB

MD5
888c5fa4504182a0224b264a1fda0e73

SHA1
65f058a7dead59a8063362241865526eb0148f16

SHA256
7d757e510b1f0c4d44fd98cc0121da8ca4f44793f8583debdef300fb1dbd3715

SHA512
1c165b9cf4687ff94a73f53624f00da24c5452a32c72f8f75257a7501bd450bff1becdc959c9c7536059e93eb87f2c022e313f145a41175e0b8663274ae6cc36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031

Filesize
48KB

MD5
20608c4c4b8c5ccdac58eb2b70ecf49f

SHA1
190053b37382dd59d99ae4f8a71e01f2650926f8

SHA256
035ca8586d11ecb89d667dd44d36890fa9d3c4cf1fa33fa6104bf536825458f3

SHA512
b7545513dfb884cee1086ea915e5d0eb6aa376e7b7b1295224b7e373ce2541d8aa2704f9c7b970e7a977ba576e803edfec88cb38cdc6fa733b2321b91197b1ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000032

Filesize
89KB

MD5
9d8131dbdb2f6095f0935bcbfb97e92d

SHA1
e48423aa5c94d286435db78b51ace955678e894d

SHA256
e0fe7a510b8156756128fa84530848966822c004af0e5f48a6d22697ac479a81

SHA512
3e7523bd60b7dc79ca5f634a4f6ee0e0549502b283ab92163cb8e11c5b264208aaf51de3838a9b69145f2147d3bda0e04644ad1d415827bb3bad9c49fc3a4b72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\42a5b24c7875b363_0

Filesize
259B

MD5
4a2bf6203c2c44fda23dff64c6401f1f

SHA1
d1ee6004824745d2bfc6e54ccd7f547e1eebbb47

SHA256
70513fc6ee3ca02b13859d288d61d7745e95a4b874ab35875b798cd595a53da8

SHA512
726ea495be9f4cd6be1166b4cd234f701f1526d4e2e3dc02dd15f91451983e469827e8cb96764f95ca9ee4bb5ad0c7916a31c784846262382eff12df4272c253

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\49a6432775d8ccfe_0

Filesize
197KB

MD5
c37c7e177c4a0bf92e8860711ee4a90b

SHA1
cc2d2051f328c9ed6b225f25a117a208123f1fa7

SHA256
8018a3afd066bdd79bc94373e6e803768df97553fbfcea89d26bc40bc15c12ac

SHA512
3d2d69a5101ccbe61115933123d879a4d4960e9f2bc532df10da70b2f08289b41a5c3a8c143aad5f24d50036664fe8ebf45891236e509efc939d440b3d1b3f8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5d8f054ee3fa0b22_0

Filesize
145KB

MD5
a604684ecebb48a779c90de4aa35b428

SHA1
c552037fb9b95baa4634dafb36382bdd683c42d6

SHA256
597a12d17cb649bcef95a500c84a00cd7b753917b30659f419ca2f073b8c3f8d

SHA512
b517724a165972dffed9c09ca14550ebf67065c07d624c3a15f0aac7f997818f633611a29e96fceb1b51385ce81cbeafac1019132786b2f3da5b8a8aadc2e213

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\774cb0f3e0205251_0

Filesize
279B

MD5
93048e2af398b138f21bba1d8ed739a3

SHA1
13a4acdcf4ea07fe1c6ad2493a82280418ef5bfc

SHA256
082602b69f3ae785f5460d2f7a5d13c2595d8358ac64de4bcd5f6b822020f853

SHA512
d0dd38b230f1fd734ba059b714feda757b382396717a0dcfe448127698c3cf545081c505df7acb9f69ac06b336fb2c34c6bce704bb48bfe69e2dacaa4c7e5af5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\7afc0e25a0147261_0

Filesize
386B

MD5
6dd3ecb0fc50dcfe77851794665d4b05

SHA1
2cc428a862873f3d8675ba07305b502f80912010

SHA256
f89cffe898f62e1da9592be14c43b980383c738ab21c138af5a4d7ad5cf223b3

SHA512
715301c98f95721724f50c5949ec542e62bc728a4c36edffb3b3723705beb00bc159ce09a95a2fbafdfef895518be72821b48a73af6e92515d46d486e7f245d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\875c3b986209d0db_0

Filesize
6KB

MD5
011cfc07a485b452af73449864c828d3

SHA1
a8d8351bf91a16780be79538b51578ee389d7bfc

SHA256
b170637f7fb8c8f422c000d6271cbdb09f830a859deaf603467bcb05e0db9be0

SHA512
d7d574e11ae416a45c0bef9369141ef881908b02f9c458085eef95a1744e4e960e7e090039d543fb6edfa700bac2ac08e735d2e66f9ac806c73c2d2224071a9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\8f9941030852ac5f_0

Filesize
411B

MD5
cb44d27123c0e601cfa706965936d570

SHA1
871e024f045e4ba6670fed3e630b00bad64cc8e2

SHA256
d7ed354f99e198966f8cbafd28cc272381828cf651fad9b0d5e4201fb22a0b1f

SHA512
179bf93b0ef7484437955f39c8119cf423a53f3f68ba979fda42db1090bd7d23ab2bba3d32be1d3c8dc7f565d8b28fc92e8e7b1c56b105f70a77e22466acfe5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\a0caa8d7ac9a154f_0

Filesize
432KB

MD5
649ee73f70f8891a84997d771955559c

SHA1
528122cc258654c8bc223e7c98966e6ea74dbc5b

SHA256
57e369dbd4599bf674fbf394bbef1ea57e651e251a3753c7232009e4f24bbc3e

SHA512
2f86b1a3387f8ae9b2e99b97d009864f83e016c958abc8d9a9b434b2ca0599102759c18176c82a553f0c4c3ee532e7d2c08e7181641962346f5b4cc966904438

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c90d255f420911a7_0

Filesize
170KB

MD5
371347b97f2762cb9d472022a76447ec

SHA1
b2c7c91685399e16fc18d88df6afec81fed1f5a7

SHA256
118abc129ba429c2e465b3dc504c858af5e3c30cb990c097887ea5011efdbc3b

SHA512
9e2b06ecff4e8567dd134541beddfba2f57b6e95c7544e75d616a87e6515c385ace9ce60992b23fa297eca93ab2d8b1773bfe21213250864ea0e3f0b36d7fccc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
39a658b85da94e7686f0cee32e907c85

SHA1
bba6095a696ac73bf6d881551866aad86bee6884

SHA256
ab1296d253cadb344a20b0b1577933da08c9b3faee5c612b279f126b7bf8e8f4

SHA512
72952a5c61233e9fcf538af7b9730479a3e525b8d50eeb18e806ea271f1c41857adb7169dc4dfbd0c45f6cf417fa9fc9a6bc4175c88274ff197b203b07678aa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
6ab837e4972cd6accc4e216c97319e91

SHA1
35a15473e10dc290078b45e8a9065bec6ac65ad3

SHA256
ee2d6ac1a2ea420a3536e076792837f89601a802c4af885213b7c89b36b00317

SHA512
3d1d3323c6b58ec3038f15bdace6c277dbe9f6fdaa584f0089e12f5493c1ca8b2546131235b1d873dfb0a66c42de7979786aa7d7ebc46a932340d04e5611ab33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
5cb071b4738ecaffc14ee570d085a70c

SHA1
f1ee1ba1a11af848351c0cb2e17ae28be3aa59db

SHA256
bcdca03dabf02c4276995e540ae0c2ccc7adcdc7be9a86fcd5dcfa19d1c1beea

SHA512
3b06a0e6cc3a782524ff462638632d32414ca1cdc03410bb44c8295bcbacb66beb7d84e1ddfc8a6134b13aa62e221db9c6d6d8c25725ad70d2d8037b8bd5584a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7416e45d8d4f166d9b1c42cb4c2de9a9

SHA1
4752a0bb1b76a4549c0e924ebac8bdfd7d081f25

SHA256
eac62efd2967d7e5ef4954839d8b30c4f9030204878761f893e276e039accde4

SHA512
0149282c7c06c1cab68136fca3d68c0d80b47b0c30cdec46e10d19237e864cf60b7ad68d02b9330740b04d20443d483338a13817f9f98fdeca7c3a5691464fbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
f05af4518f248e6ce9e7e8abb4dc8372

SHA1
9499c0c45980f7d873f7f5f7376f7036aa796439

SHA256
5f7bdf12fa8dad8979f3175cdf08458cc31fa7dbeec37d1a322e6a8290e22bf9

SHA512
6622906e58cc745b9c22d1d951a37a3da0c729ae6700e4ff31fdc96088dfc56b8b111a900d89a3b9ef8ed5c6a4928f8c73f4cfcac11b8444bcb554bc2354382f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
c582f3f351f33038ab061d2c433b4c9a

SHA1
8e87cdef9e76aa8e94706f63fb2a3d859daaf3de

SHA256
e5b97180b076cc704f6c811f5f76579643eff66c3d10ea04b484e49694a25d65

SHA512
539b3ee76e02007a294e3722eeaef9580b9c96ed6e8b7cd11bb4c255f774b2d226926892340d694133b666ccdca8b8fd51f1f78debc49504d39fdaace0a1fbf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
6e8244013f7d30d67b473ba686133809

SHA1
5c093c2fdf1e5b4b76df6487cd1ee2ae8cefe5ac

SHA256
2eed036dd1d899c830c5ab55c1f9c7ca4b38afaf8cc3eee1ee0ed44e0bcc853a

SHA512
87b013c15d3624afeb08bac635b1bd35dd7d2b29673bc6aaaf84b9e8235239d363205eec81fc04e6ee020ac22698f9be284533bc656874c9b19315e833922445

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
25f6d5ed3c9bb898bb8808daf5c582a2

SHA1
ff7b1e45ecb0aab6d3096b5823ad0bacb1274e8e

SHA256
2749d567c2fdc3d7c865b1bf814e747d6c8fc0ff0812dd69ea6a2d49ed1f80a7

SHA512
e60da1ef500f61c43138db0fbbf839a159ebba1e2698b34126c8c6ab3b24dcb4f0abfdeaf0104d0f02e4e0546f82c70525ca7ebe94d270cba49f6d389bcb8cf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
684dda4eb11440ad016c3c42e181a3f1

SHA1
28e14c1c744a946c4a1edef42cc5d24cd621b9fe

SHA256
731edd6898a194b9210e562b5840c51ec65f624f525eeb945f02131b9d51190f

SHA512
43844d3bc9c2dd30233e5cfddde583e1f442264677c8a3bf18870a89513a7213876a676f74cb0824da905544acb5f5dfb0f2f5680ca99974b0b1d59f7f1c5502

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
e7bf2f3d287e2c0f68e1f9093bc22c71

SHA1
b3f4954492d3f049645d260b43372e0bba98e5bf

SHA256
3555119d9bd089d90e44e36935a45300f73611dca84bd9e0800fb6c7e8df9e2c

SHA512
034db61de985480696b4f17a6de1737d776e3da41483736ad1105e126598d58562e0dfcb7b5e2d3ecf513928963537026d9bf014d71435e77193655b23b94559

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
fac9ad2101ae307ca15905dcb91c18bb

SHA1
ce2e42c70f07e7d3bf562512b3138adcc568ebfe

SHA256
5980389806f1953896a29d2a31117a3374db9ba583a13a7597cda95c15fbe175

SHA512
c96eaccdcb0b0b5ffa3ccabca43766e02b67560a1cdc411e6758c32d3f701222da6ca20d31ab35be1b58cef5777772f7c4157cabcec7a3775ad1d575639ea394

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9ac29b0c4a73c5f88b04d80b98114acc

SHA1
0a856358994dd2342a6e8f9a56b7f56ac31c0182

SHA256
f6fee5e1f139ee97d28c0c9499d8b5b2fd3100edef1747b44f80b6247c81c39b

SHA512
bd1b869347c7e36d041b42c3d55948a2c80951cadb2ffd7c7fa63dd129af4480d8c3efc330e383d12e7aa460777478ef9472e8da0419d6bae4e87bbc8553e263

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
d8bd71b6cb31786986702f86c753d42a

SHA1
8d67327247718081be9e3179303b2690de981022

SHA256
4b18c279778d7d65db8bec313e04a191da5b35b391c63efa9355439cada0f1e0

SHA512
7a2b8cfecde47efbcd2d79e312d104dfb72a36c2188927a427dc15f14f632cd9afefc327fe1cfa46fe3ba370483092d1b977ac4c943a50cdffd21ca69d7fd86f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
4556c438b085755fd9fcf1dfd37d598e

SHA1
ef929bd215980875b2557698e98bfae6227c75b0

SHA256
12b1b6c9cf4dc4637f7857cb565031876d6bf11d971ee6f12639b544c39533e5

SHA512
fb63021228548de086afe09ae0b458c6af32a21665960d30dce472bd9f31f18a907d1250480fb523aac41012f7ca8c98c8f9b4e88aaa95dbb4bd96c8c3299f43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
b1c623324e10fa3f0dbb419d444d7d1a

SHA1
b7a2d808c7c6ccc08441a5ffaafdb5c630dbab8f

SHA256
b741d7100ac295d18e3b8ffb8a1e3edc1a71fef802c74f10979a65b7ca3ab947

SHA512
4d1dd57c8db399849337866a45397b75b3916cded46a745e267cac44826dd47fc0401f65087f91eaccb3e1fa56a966e349a432c9f5e709956484bf547237f25e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9ed10c496297471f40b19f1c5bb384a5

SHA1
26255504b7e7d6e9c5bd604bba8f9f185c1aa2dd

SHA256
1d8edcaaf525513aea0988c9375a557d0c8a422d017af072e2043438b8cc06ea

SHA512
b0d0ce6c635cb301dd48aa53e3d6ad8061b213577d209602c22c276f849df2e696753fe79ea6114e85cb5bac53fc6c6dd89f601ab3a1e6c0d50fcc2c86a83dce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
add238511d698d45e868c3ee84f8e89a

SHA1
668c1c931ad1e26d06524309e75289038d999c5f

SHA256
3c3734d890cc89efcc687d25ff8bb59e16cb44c9b5010e0ffd884c171d845de8

SHA512
2fee482ac46e47a3a3f0694e88a36ba0cd7ff5940f15e1ccd20bf4214743f130150b24f0f02df5bdee00f917f582f728a9999eaaded74fdcd18cfd4aad19dfb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1b41c74c46cc9541036dd2828e063824

SHA1
04c9ed36d27851d6fb230821c646e9697e32a021

SHA256
a368ab4a2d407b0227c7bc8c58aefd6f08eec186b8bae56228d4f5d278af4391

SHA512
c42388f9e74bbd120c3c75408474388087d2f1688398fe2e386cf01670c0a73ee12921de61f10d4cd2201eed6eb8e5629b1ead8e62bf9f0b55368bfc50711613

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b6fed265dbb2a8284191f70cded10b7f

SHA1
48d6b1444f8f5b3e5fd6c46719af1ed76107fe42

SHA256
d1f61d5a5971b4598d94188a1691ccc88bdec61c09c4a2a0cd093febc3c62952

SHA512
7577608f427b1ea1308247357c1580eb712685fb4bd6154a111dcc7de033adda658c57264d04aaa2a0188ca960cf744d727b2ae279555015f3a021abbc18ecee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
db6a4bc0112c708bc502ddbaf05f6f88

SHA1
3c103079ed49f836f1a62c68b808e0286c1eb7db

SHA256
f09fe3ae0e7c4637d0a724d58e6a83eb345242f30ec0e065a9fa068db9da4f02

SHA512
da634d94a6483111bd0e0bbf6e0a3f09a79931411008134e4deef42774c881bc604dd189e1511ad24b79e67f8bd5d9f0fd21619df23361343d505763ebc7fbe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3f414eb1fc770c39f6028b8a75241760

SHA1
71dc11b7de4d7725267f606aada11860c07f97b3

SHA256
e1eecb49ed9dfd686f23376a195a51674de0399c68314a409a33235f622fd60c

SHA512
0476ebf5aa472dc5831814708adcc5e7fe5091c352bdd56c81a8fbf4d08347e307ba6b0f92d7886daca10bee6122bda9e1153f040c09fd36dc5de7e60b1acfa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
21e6df87c989985507982168cf0ac98b

SHA1
62b9f1314e6ee21817e622ce6cd4a355ff9d2be5

SHA256
087e61ef6317ac9fe8f075b9b20b15b3678ff1a36a522a43bf364c1ee30e91e1

SHA512
7d5b694a7b85016b584e6893b038dbe899322498bcfab4de082f6f0f903489e5d36eb405e64391f6de68da2911874713d311e9c60f985c0e1f827596aed0dfd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3957698e368b5ee653a7069578fd1cea

SHA1
1ed1c5074b9c05f96ac6c6381e9e215a8df3dabd

SHA256
9fd04027cffcf5dd1dd895c58db42ad08e2991e8b46ab56f78a498524bc1c8e3

SHA512
743fa8cebc8a2838d355d76ace04348d42a75a2c2823da688b9c619a45ef2681d67f28ca1b28a477a875eb7217091640557426e33eb4f7b653afd994007dfac6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ab1317e87c00aa31c45c9b5168957612

SHA1
0d2184cbc3bf1f9c301f238ea5250209bb2df2ff

SHA256
072b7e9fbd0325165b665c6e326ca120a52d505323b08645515f3606f87d01d4

SHA512
44e54e48460a082005d2426570fc7ec5703c4b579a827063c87633f50451b80804e8e9801f810b43e97559e96e44cd9ea59cc01c3670450a0d3a83cf3abfc9d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b97aab1db9fda9a7c066ddf5e7c68bff

SHA1
3fa810618b41bab69a070738a461f88619d8bac2

SHA256
64cb1ebf27e15c73b6ab6ebc1c88310b47e7cf5308686c332647378c81df20b3

SHA512
0df8f290673dfc2c11809b716e79087da140f1b36376c18ddd7c5c2c2d2fe6468f265798ae5b797b0e7f059976997bb78e5f30352ce8da9ec5a958c3860aef52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
95fe94e046007f593d33939bf45c6718

SHA1
9662df37905f0994a6c829426456704b38d2787d

SHA256
6e30c6ba6ab7639062b020ca55b17dbbe9296cde332c1028b1ffbdbd2b2598ac

SHA512
cae94a1081ae9c73c0a7baa95c0cb0a114e5a5678faff62cb5cd75e9fb939dba577d3e4728d7073461c82672008bf908eeaa93f666e4e921d488e2a15e828d51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a40dad16acbc9eb60b1c6b38501470bb

SHA1
360f71193545e1f01e18b1da1e49bf031d65efa6

SHA256
b6b9783f39854a010ab4fbb8c397e55cd2b54d70a8b9d94a81350fcdc40116fa

SHA512
645c3b9a5568e7ec7a01c00c4c3e3f27efd7b778a036eb0e015797fdbd46088df4da4beb8b39a5d0e9bf055742ba4900c487981c47b3c4bb5295966d72e7c3af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
42a2c6549c1022c3f32dd9f4af886777

SHA1
15d4a4c83519880b33335ea7392fc00755d52e60

SHA256
bcda55cb6420e7462c41d7e6c0f5510232e38ea0477b236b2c6d7cc7a015fc09

SHA512
dd2cf73cfaf0f307ac51ec924f2710981b3e7c61f857beafd67004e9af49e24ab558f14c1967fe3a6c3a2b915e007bd1bb987359a4cac77e245e6c10585f22a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
fd9ffbe29eee11a2d7bef6a6f4e3e8b0

SHA1
c6aad786800f47b748d757d5797ec54ab8727b65

SHA256
07c5b0035191329de5c69b475fa3fafd836349ff811e3d82ba7cfbe1b472743c

SHA512
8c7b056af1e157e0124acd1b4168c99c0cbe5a21826bc86798278c6167bcab2067ef55ba2010e35879c89c2e0d833ee1e64661432f5b3665edb49c5cff218eb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f20036aaf8b2da313a0f5c129d76e481

SHA1
97d9e14780de694a2a660bda93e6ba394d4e8def

SHA256
7dc401e72291a1fed08fc4c04c33a9d68bf41d73fef075563819f764dfeb7373

SHA512
c46f75b45df454d1d79ea5acae46e9fc8db22298ad69fe4f77cd0135ef282edce97b202b8fab0a6bc3d0bc7475dc02773e97f8fd89df4ce7b46a32a92b4f1071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d993ba5b7452fe75b9015bfe271bb66d

SHA1
0d9ecb519d13924c94183c8cc5eddc62b14d8bfb

SHA256
13f7c516451043077966c356edb70868937ce819bc0d41fc131af55ba60c3638

SHA512
66845db53742c6f7ca6c5868acd862a1c9cc2e6905d13175b21f60d4cb551b67195ed6bdadd9c8cc9b7c7bccd838bce701490f50384ac4efa322422181a28d25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
42a50695d678ec51ff1b98cfcec5558b

SHA1
ec0e59e268c7c0ee7f1c30f35d231bf45a1adb5a

SHA256
750a6afad2c36ce42af71960bf2c43d9503ad1179f7325836a321f11363d4a20

SHA512
34f60676430f0b9fbf55110380e32d88ca3363728565fd24e410e315383e1f6698347a270ffb508823b8963b0f24eaca35180c366e33d0cc27c9e9c0ccab61ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7642beb3fb72b4bf5860cbadaef5743c

SHA1
d098f142847c9009fa1772779d832d6ebb60ccb3

SHA256
5a69232d1b1be5bb738ef0d02571c8519ae63aabbc6b813255478cb5a5cb83f2

SHA512
7c5f8fc48c647f2d5bf5c12090ae5e13ceaaa901a5cc3a814ad13b9f7f11e3cefe09d624cff3674f48f5c6fb77ceacc796fe451642371dc7e39a0137bbea8d27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
cfe44858ab709db76a930d764070fefe

SHA1
5863de1df97a90c774b237c715b2b4a45b757bfc

SHA256
276256451991288c8733140142d752212c7e35ee28e80ae5c7ae0242e22805ab

SHA512
7deb6195397ce4162abaa99804f7fbd821e6277482d317502feec2f19591381dc4ba4081c28728835e9dbefb1763a5b5868ac970d7a0db5e5021c7a3a206cdc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
24fc145c6310c62034fdd4e9134c0af8

SHA1
c93a29d6e306bce9def48949076ce883a88821a7

SHA256
1851b6efc5da056d43f87af6558189354487d4e01fbfef94ffc1d8192da4277f

SHA512
b14e07b3fe1c15035cbb0691f82f373cf781cc6042a4e2b32ecac76db142882527971a566ddf85c5be2e2cb8d3bc8c117c1394e0b9bc114932a8f3bc7950db56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
176KB

MD5
5f07216c31f5f5832224802dca7353b7

SHA1
ad7f65d81c31fcfa8659f8589c7bb46b2a9b68e8

SHA256
977a381bd9fc4a9580402a8ffafd4b36a6c1e8e37ba65fb9bc3a6223bafd143b

SHA512
60409c1aa6c2c12ed8e444f25db0f9f5b5d68a75dd18341df2f9e0b7805712a66722be2e6eeb1e117d0beb18336448364e61339c30f9bd137417ea1adf345444

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
176KB

MD5
5573f72ad7dbaf371d774f9202d22b6b

SHA1
7af5e4cff6cef4302a2a5f61c1f67d8b6c44ee3f

SHA256
528e5922c1a96180d385882263a8096296414834614549b7542e29144fddbc4c

SHA512
8da36ebbafc43cbcbaeac8ddd04d5c21fe3184a07e85572b828e5e85a4a4160d10cd6b47c698bdce4198c294f9f982d0bfdc767d582aa7007843cb09c4e59f31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
176KB

MD5
021caaaa7ab441bf91973cde7606270e

SHA1
1da3336127cde95277c10d39df2f767768d733ff

SHA256
4e124a97c88275c99916a7653d176fb072f1fda7b965a138cd88ad2bd2c8ac09

SHA512
d805c228df65fd71a3c4351f525e2a89731e481138458dc971b51834a8061dfa9d4f432c97abc6ca07bf11a5a52b4984dc6de2244ba41cc0b0b59c867b4ffe4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
176KB

MD5
933cc0defe725cfe9ecd26c174082803

SHA1
833047df0b3bb18ad4f8b09c51f7f8069d19ab0f

SHA256
b844ae0f8395e94bfa90325f354d1107b4175810ae8b4375535bd61895517f29

SHA512
f85bb73fa77e2c7961887ceb29f8a944cc0d54e21044180f2f1b0e7edf7631e8ff4c25e160ae5b12417885cd823e765913cff138bb624bfe28b0ce6e2f5528c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
115KB

MD5
792697cf8939b50ffc63ed21a62060b3

SHA1
e72abe9d48bccbc20d2815a97c54ea42a8d252a4

SHA256
608fab4abd2ccfefc8c4f1712b5a9af8af02a80a3ba43a10fac8e24b9cc8ffaf

SHA512
3428d7b9c151f1d5cb4008a88735e88ab9d8d508aaf362779f4e8c93e97b069c7dcd45575379c7b55e8e007ba8d5742ef18b7b60db3263b250e4387bc4a36a05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
3d72eae28130b6bf9c64bcc4a0eeaa25

SHA1
48cd6d5738df7ba0cc8528a8c1f2cc4da7716307

SHA256
16778f0affb97410b64735ac3e31f9c465f599081bdaac3298847617f5efc6d9

SHA512
926e8133f63f6d0ced17c1b53d905ce1e277a0af6b649044f1aeaa2ce262cf5a9a2d75ba444714e301e9269f372532aec904adca074138f5fdf92531d2c4dc7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
31be46a4d5c82b8deff3f39ca2f2d4c1

SHA1
7bc23d938dec162dccb357a2c362cd5cf1e40719

SHA256
fab841330272393817f0a39f637a903b259e23404d026fa7376e97dc90e0debd

SHA512
ab19681ee97042cc2d9987cb76f896c98abe4e728c2d65da295824b6d84473363ff6878e64449fe75fec9d2efe8f8b7427dbf4b698c85438143bd720e91539b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
8da4e5f40f9e22e834e371a7460c015a

SHA1
32e5026fb3b3043ecc822a6e312d917fb4d856d5

SHA256
719b79ad7be87fab4257b1c28578a1faa966c9276c7fe62c8410e94d2b673e1c

SHA512
ada48e052bfe54e1f458573ac7b828daf198fd4e365960ee7017b80463ce2e84ffadc2224d21c59d01b3a3e80b43bdb911af621bd7a2ab7641854587a146fc96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
ed85d1e85eac275d5e5b56be9243fc61

SHA1
0c8134352d6a032f4bd842b83789d3a851098f52

SHA256
c9b47bfbfa9ddcdea4059f566dc78af70074755ba2025c611d07c8475da0f737

SHA512
75bbd0d3c1061e20e38afacba7b04ee875676838359d42a99f40f229b407942f67ad8f87b843320e799d7a9cd3851369b3f628b562cd83fef10d0892443c2ec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5830a0.TMP

Filesize
97KB

MD5
4f0d3623f46f62989dbbaa4da4432869

SHA1
1b864b669e56a8eeca758c9da27a1f93d984b623

SHA256
dab75ceaa4c15693975491fe98028dda249d19f3d849e54d984b5eacdc0b8af5

SHA512
857b9117a4f914315374ae1263817426cfbcefb8770f4436b237086d63cea34f226cfe5abfd1305ddb4ccc4d37de5fd8476fd4d296a6500a6bf36555f0b45207

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\doc_JustForMe

Filesize
5.1MB

MD5
bf152691c485494abb104bcecf66edb2

SHA1
3570812d1a76cd971432b099cf30c4a6877cb376

SHA256
4cfcc529e605fed113d85b880fc23d23fdf2cc58e8766182181b25c14cf6aedd

SHA512
8ff33d7f6dcf4c7d4caeed465447a9dfe42ded635bfa89a3c0319ba3c09e95881bf658259e6dbe81418ea44e4a0e8bade7b9681df3ff3908cbc654f79bc5410e

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
8.1MB

MD5
61f515a5767b0b86b7f025470ea59cfc

SHA1
3ee14100438adc5c905ee9c9bcd7fe4dcb84d5c7

SHA256
cff6cefdd631ad4cca3b97e2d2c7f64f1f069fa9913111d3dbafc29a5a44c459

SHA512
8b7c9cbde146d2faaf66e54dadc3f8264564bcfd0cbcb2f5ee4e1dddf771e597a9b2e8c82a7eb11003589aff84773f38c1d24197f01721383c8a2532598213ae

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.4MB

MD5
ec2aff78b2405d86280ed36a83a08b93

SHA1
acdd2251f064ac5921c7e7bd3a282639504907bd

SHA256
de0e7c2f063a5d8f3b32815feca509effc788252604759c7b686478344cb2447

SHA512
71f9d60a294988b58345d9736f0315bcf90be84ee383aab517c6feb4b52ef7d9f72b4163b93a6396ba00248c7d009d677573f992d0ea2b20eb04a1cb66477e09

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\test\test_importlib\extension\__main__.py

Filesize
62B

MD5
47878c074f37661118db4f3525b2b6cb

SHA1
9671e2ef6e3d9fa96e7450bcee03300f8d395533

SHA256
b4dc0b48d375647bcfab52d235abf7968daf57b6bbdf325766f31ce7752d7216

SHA512
13c626ada191848c31321c74eb7f0f1fde5445a82d34282d69e2b086ba6b539d8632c82bba61ff52185f75fec2514dad66139309835e53f5b09a3c5a2ebecff5

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\test\test_importlib\frozen\__init__.py

Filesize
147B

MD5
c3239b95575b0ad63408b8e633f9334d

SHA1
7dbb42dfa3ca934fb86b8e0e2268b6b793cbccdc

SHA256
6546a8ef1019da695edeca7c68103a1a8e746d88b89faf7d5297a60753fd1225

SHA512
5685131ad55f43ab73afccbef69652d03bb64e6135beb476bc987f316afe0198157507203b9846728bc7ea25bc88f040e7d2cb557c9480bac72f519d6ba90b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nt5db1lm.f0g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\readme.txt

Filesize
19B

MD5
25cacb7c8b102e2ad4658121bdd2459e

SHA1
7b5ed8c98f3e04774aa20de108d2b5e3ffcada8a

SHA256
ec059872ca0ab2a183c1e5539e76f926605ae2e7a60ced5247e5f0f72465d971

SHA512
747c6cef1744f1aba9c74b5573e21807225ee8ed7ac9229ae551f37e6d577b9875e3ce8a2991cbeac1e2ef5f1fb768d50deabb5fa5eaa0180a406d2c246956f5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 163014.crdownload

Filesize
24.2MB

MD5
e4413bb7448cd13b437dffffba294ca0

SHA1
59dcc42113cd01346f7498a07c1265a4428b8864

SHA256
47be821c0f1825d90fc40f83a3ee3d3a691a3e16c8e21ac0cd56371362aaad50

SHA512
a48ee8992eee60a0d620dced71b9f96596f5dd510e3024015aca55884cdb3f9e2405734bfc13f3f40b79106a77bc442cce02ac4c8f5d16207448052b368fd52a

Download Submit
C:\Users\Admin\Downloads\Virus Maker.rar.crdownload

Filesize
82KB

MD5
d1f61793e7898df4b27e3345764ceca8

SHA1
f03b91146aeaf753b565620a022a238830ed56d4

SHA256
d32f3a860b863d38f117c2e7efcaa6909583d418f8578b526a7ed0153529644b

SHA512
6491767f6db68886d000b173306377f3b0bf2d6db765ce4c14139c9ad09fa44e6cb75489f3858e45c4000333d2ad517721f81cc48e94de25c75c17cac36bb617

Download Submit
C:\Users\Admin\Downloads\python-3.11.4-amd64.exe

Filesize
24.2MB

MD5
e4413bb7448cd13b437dffffba294ca0

SHA1
59dcc42113cd01346f7498a07c1265a4428b8864

SHA256
47be821c0f1825d90fc40f83a3ee3d3a691a3e16c8e21ac0cd56371362aaad50

SHA512
a48ee8992eee60a0d620dced71b9f96596f5dd510e3024015aca55884cdb3f9e2405734bfc13f3f40b79106a77bc442cce02ac4c8f5d16207448052b368fd52a

Download Submit
C:\Users\Admin\Downloads\python-3.11.4-amd64.exe

Filesize
24.2MB

MD5
e4413bb7448cd13b437dffffba294ca0

SHA1
59dcc42113cd01346f7498a07c1265a4428b8864

SHA256
47be821c0f1825d90fc40f83a3ee3d3a691a3e16c8e21ac0cd56371362aaad50

SHA512
a48ee8992eee60a0d620dced71b9f96596f5dd510e3024015aca55884cdb3f9e2405734bfc13f3f40b79106a77bc442cce02ac4c8f5d16207448052b368fd52a

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622 (1).exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622 (1).exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622.exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622.exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622.exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622.exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622.exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Windows\Temp\{6F864CD4-D534-4EAF-9666-C8D566ABCD93}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{6F864CD4-D534-4EAF-9666-C8D566ABCD93}\.be\python-3.11.4-amd64.exe

Filesize
858KB

MD5
73084cdc98f16f144aeaa7ce8966a76a

SHA1
40e8d66a0d13454b25513c8444c763cab00f2ab7

SHA256
6846e876b507121739c7325d83c6cef655748113f0ef1cb61759552dd76c9db4

SHA512
d674aa9c8ec2736fc4282d6ae7a15c87ef714c6d8f0ceef5213c6925abce8e152eed4fa39525b5aa7c5bcf806fe7bffbbbbd74e71f25fd9ff544825d407abb71

Download Submit
C:\Windows\Temp\{6F864CD4-D534-4EAF-9666-C8D566ABCD93}\tools_JustForMe

Filesize
204KB

MD5
c6becc684cf5071c79ca71213b27f1e7

SHA1
bcead7c4184eb3eab3734f5aa0f4e90224428a08

SHA256
3be39c326e8d40e101d6c12995e89a9c15a9e30e134d0f4ade131522ecefc081

SHA512
7674dec3fe56cdfe98e459d12253fc50ecc34b464f142b7c643fb1972130a9c1d22f15b21f261b52582f866a1743046352e1bd3916e7b32805f77db64de73591

Download Submit
memory/1956-615-0x000001DC2EC50000-0x000001DC2EC51000-memory.dmp

Filesize
4KB

Download
memory/1956-616-0x000001DC2EC50000-0x000001DC2EC51000-memory.dmp

Filesize
4KB

Download
memory/1956-624-0x000001DC2EC50000-0x000001DC2EC51000-memory.dmp

Filesize
4KB

Download
memory/1956-622-0x000001DC2EC50000-0x000001DC2EC51000-memory.dmp

Filesize
4KB

Download
memory/1956-621-0x000001DC2EC50000-0x000001DC2EC51000-memory.dmp

Filesize
4KB

Download
memory/1956-617-0x000001DC2EC50000-0x000001DC2EC51000-memory.dmp

Filesize
4KB

Download
memory/1956-627-0x000001DC2EC50000-0x000001DC2EC51000-memory.dmp

Filesize
4KB

Download
memory/1956-623-0x000001DC2EC50000-0x000001DC2EC51000-memory.dmp

Filesize
4KB

Download
memory/1956-625-0x000001DC2EC50000-0x000001DC2EC51000-memory.dmp

Filesize
4KB

Download
memory/1956-626-0x000001DC2EC50000-0x000001DC2EC51000-memory.dmp

Filesize
4KB

Download
memory/3236-145-0x000002B6DEEA0000-0x000002B6DEEB0000-memory.dmp

Filesize
64KB

Download
memory/3236-144-0x000002B6DEEA0000-0x000002B6DEEB0000-memory.dmp

Filesize
64KB

Download
memory/3236-143-0x00007FFD2F160000-0x00007FFD2FC21000-memory.dmp

Filesize
10.8MB

Download
memory/3236-142-0x000002B6F7DA0000-0x000002B6F7DC2000-memory.dmp

Filesize
136KB

Download
memory/3236-148-0x00007FFD2F160000-0x00007FFD2FC21000-memory.dmp

Filesize
10.8MB

Download