Description	Indicator	Process	Target
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A

Sets desktop wallpaper using registry

ransomware

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\TEMP\\zEwpnMuL.jpg"	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A

Interacts with shadow copies

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A

Modifies data under HKEY_USERS

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = be1f8f3e1d87a77867c18f304b831ffecd6f79aae6efbd92a86f67b961044ef6	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = e357b57c8f641bf5c2dcd374ad2d3098f48ded6be9d1edd348e2a2aeb9dba50d	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 90b2869baecdbac57bd846e64fddab0e7d23d436afc7b25fafa19afa7db9209c	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 76fe27ac8ad112476a4595f55515ca1e987aa77819540e9d008b0334a0cc2432	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 4bd61fe946ecc928f21667d0c1999fbc93d048316a6b62ac8460356f0986c470	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 0e5216c75482e3eaec80b9a25bb91b3118ae0e4347713324dc9f76e62e5dc4e4	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 98bd7c374e1ab733d8b048549f82982ee4019be63f2aac3624482e159557a78e	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 30db7e0ec60d6643e1986e6b14ba4431b9decbf3adba9078b0b8e247727c7b25	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Modifies registry key

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\reg.exe	N/A
N/A	N/A	C:\Windows\system32\reg.exe	N/A
N/A	N/A	C:\Windows\system32\reg.exe	N/A
N/A	N/A	C:\Windows\system32\reg.exe	N/A
N/A	N/A	C:\Windows\system32\reg.exe	N/A
N/A	N/A	C:\Windows\system32\reg.exe	N/A
N/A	N/A	C:\Windows\system32\reg.exe	N/A
N/A	N/A	C:\Windows\system32\reg.exe	N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
Token: SeImpersonatePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
Token: SeImpersonatePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeAssignPrimaryTokenPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: 31	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeAssignPrimaryTokenPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: 31	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAssignPrimaryTokenPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: 31	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeAssignPrimaryTokenPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: 31	N/A	C:\Windows\SysWOW64\Wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4520 wrote to memory of 4308	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4308	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4308	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 2412	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 2412	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 1396	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\fsutil.exe
PID 4308 wrote to memory of 1396	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\fsutil.exe
PID 4308 wrote to memory of 1396	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\fsutil.exe
PID 4520 wrote to memory of 4404	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4404	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4404	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4436	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\fsutil.exe
PID 4404 wrote to memory of 4436	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\fsutil.exe
PID 4404 wrote to memory of 4436	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\fsutil.exe
PID 4520 wrote to memory of 2644	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 2644	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 2644	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 212	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\net.exe
PID 2644 wrote to memory of 212	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\net.exe
PID 2644 wrote to memory of 212	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\net.exe
PID 4520 wrote to memory of 316	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 316	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 316	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 4440	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 316 wrote to memory of 4440	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 316 wrote to memory of 4440	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4520 wrote to memory of 3464	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 3464	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 3464	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\net.exe
PID 3464 wrote to memory of 820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\net.exe
PID 3464 wrote to memory of 820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\net.exe
PID 820 wrote to memory of 904	N/A	C:\Windows\SysWOW64\net.exe	C:\Windows\SysWOW64\net1.exe
PID 820 wrote to memory of 904	N/A	C:\Windows\SysWOW64\net.exe	C:\Windows\SysWOW64\net1.exe
PID 820 wrote to memory of 904	N/A	C:\Windows\SysWOW64\net.exe	C:\Windows\SysWOW64\net1.exe
PID 4520 wrote to memory of 4672	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\system32\cmd.exe
PID 4520 wrote to memory of 4672	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\system32\cmd.exe
PID 4672 wrote to memory of 4380	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 4672 wrote to memory of 4380	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 4520 wrote to memory of 1680	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 1680	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 1680	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2052	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\net.exe
PID 1680 wrote to memory of 2052	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\net.exe
PID 1680 wrote to memory of 2052	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\net.exe
PID 2052 wrote to memory of 368	N/A	C:\Windows\SysWOW64\net.exe	C:\Windows\SysWOW64\net1.exe
PID 2052 wrote to memory of 368	N/A	C:\Windows\SysWOW64\net.exe	C:\Windows\SysWOW64\net1.exe
PID 2052 wrote to memory of 368	N/A	C:\Windows\SysWOW64\net.exe	C:\Windows\SysWOW64\net1.exe
PID 4520 wrote to memory of 4852	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4852	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 4852	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 5028	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4852 wrote to memory of 5028	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4852 wrote to memory of 5028	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4520 wrote to memory of 772	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 772	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 772	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 2568	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 2568	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 2568	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 6644	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\system32\reg.exe
PID 4520 wrote to memory of 6644	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\system32\reg.exe
PID 4520 wrote to memory of 4596	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 4596	N/A	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System policy modification

evasion

Description	Indicator	Process	Target
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	C:\Users\Admin\AppData\Local\Temp\forigpatch.exe	N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\forigpatch.exe

C:\Users\Admin\AppData\Local\Temp\forigpatch.exe --password 123

C:\Users\Admin\AppData\Local\Temp\forigpatch.exe

"C:\Users\Admin\AppData\Local\Temp\forigpatch.exe" --password 123 --escalated --parent-sid "S-1-5-21-946614337-2046421199-3397417319-1000"

C:\Windows\SysWOW64\cmd.exe

"cmd" /C fsutil behavior set SymlinkEvaluation R2R:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command "Stop-Cluster -Force"

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set SymlinkEvaluation R2R:1

C:\Windows\SysWOW64\cmd.exe

"cmd" /C fsutil behavior set SymlinkEvaluation R2L:1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set SymlinkEvaluation R2L:1

C:\Windows\SysWOW64\cmd.exe

"cmd" /C net use

C:\Windows\SysWOW64\net.exe

net use

C:\Windows\SysWOW64\cmd.exe

"cmd" /C wmic service where name='vss' call ChangeStartMode Manual

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic service where name='vss' call ChangeStartMode Manual

C:\Windows\SysWOW64\cmd.exe

"cmd" /C net start vss

C:\Windows\SysWOW64\net.exe

net start vss

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start vss

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

"cmd" /C vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

"cmd" /C net stop vss

C:\Windows\SysWOW64\net.exe

net stop vss

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop vss

C:\Windows\SysWOW64\cmd.exe

"cmd" /C wmic service where name='vss' call ChangeStartMode Disabled

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic service where name='vss' call ChangeStartMode Disabled

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README-RECOVER-QTduEqZI6Q.txt

C:\Windows\system32\reg.exe

"reg.exe" QUERY "HKEY_USERS"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\.DEFAULT\Control Panel\Desktop' -Name Wallpaper -Value 'C:\Windows\TEMP\zEwpnMuL.jpg'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\S-1-5-19\Control Panel\Desktop' -Name Wallpaper -Value 'C:\Windows\TEMP\zEwpnMuL.jpg'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\S-1-5-20\Control Panel\Desktop' -Name Wallpaper -Value 'C:\Windows\TEMP\zEwpnMuL.jpg'"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README-RECOVER-QTduEqZI6Q.txt

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\S-1-5-21-946614337-2046421199-3397417319-1000\Control Panel\Desktop' -Name Wallpaper -Value 'C:\Windows\TEMP\zEwpnMuL.jpg'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Control Panel\Desktop' -Name Wallpaper -Value 'C:\Windows\TEMP\zEwpnMuL.jpg'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\S-1-5-18\Control Panel\Desktop' -Name Wallpaper -Value 'C:\Windows\TEMP\zEwpnMuL.jpg'"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README-RECOVER-QTduEqZI6Q.txt

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command " REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImagePath /t REG_SZ /d 'C:\Windows\TEMP\zEwpnMuL.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageUrl /t REG_SZ /d 'C:\Windows\TEMP\zEwpnMuL.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageStatus /t REG_DWORD /d 1 /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImagePath /t REG_SZ /d 'C:\Windows\TEMP\zEwpnMuL.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageUrl /t REG_SZ /d 'C:\Windows\TEMP\zEwpnMuL.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageStatus /t REG_DWORD /d 1 /f "

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImagePath /t REG_SZ /d C:\Windows\TEMP\zEwpnMuL.jpg /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageUrl /t REG_SZ /d C:\Windows\TEMP\zEwpnMuL.jpg /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageStatus /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImagePath /t REG_SZ /d C:\Windows\TEMP\zEwpnMuL.jpg /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageUrl /t REG_SZ /d C:\Windows\TEMP\zEwpnMuL.jpg /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageStatus /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\cmd.exe

"cmd" /C cipher /w:"F:\"

C:\Windows\system32\cmd.exe

"cmd" /C cipher /w:"D:\"

C:\Windows\system32\cmd.exe

"cmd" /C cipher /w:"C:\"

C:\Windows\system32\cipher.exe

cipher /w:"C:\"

C:\Windows\system32\cipher.exe

cipher /w:"D:\"

C:\Windows\system32\cipher.exe

cipher /w:"F:\"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README-RECOVER-QTduEqZI6Q.txt

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\75105eb621924d7d90b908c2d53d1ddb /t 3320 /p 3260

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	9.179.89.13.in-addr.arpa	udp

Files

memory/2336-0-0x0000000010000000-0x00000000103A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(1).LOG

MD5	9c5f1902d6e6ec2f9386b0a298c7f3ec
SHA1	e691e2d199e5acf4a2b8889c03358b186ff32487
SHA256	1e7f496a934e56c02fca3fc4e1b3f58576d5c8f0fc9a42f8eb62518f73d3510a
SHA512	ed5d60d0ad85d4ca050507d913457413470f569ca857cb9a391a536b53676467398781f2b17256bc2c6e939e6d216002c61aafd9d2b938d35cd1227d33714c01

memory/2336-73-0x0000000001200000-0x00000000015F5000-memory.dmp

memory/4520-74-0x0000000010000000-0x00000000103A3000-memory.dmp

C:\Windows\Temp\QLOG\ThreadId(1).LOG

MD5	44a6e7850c43d5335ca14b56201cc89e
SHA1	ec3939c6bd3d9f9a6cd710e2a4dc149042c9f1d6
SHA256	941287486acb49eadbde8b7d08e7238f03fac8845fcab0faef208403a96d4c30
SHA512	45066595efe4ff0e73a59922e2d3ddf44e7da41721bda53aa0f04d5edebe5bf1416cf3b36ba164a4f656ba53745c1872333dc18eeb11c6ee12d3ec4918f799cc

memory/2412-153-0x000001F471E30000-0x000001F471E52000-memory.dmp

memory/2412-154-0x00007FF9FA760000-0x00007FF9FB14C000-memory.dmp

memory/2412-155-0x000001F471E70000-0x000001F471E80000-memory.dmp

memory/2412-156-0x000001F471E70000-0x000001F471E80000-memory.dmp

memory/2412-162-0x000001F472000000-0x000001F472076000-memory.dmp

C:\Windows\Temp\__PSScriptPolicyTest_3lpvq4dx.gf5.ps1

MD5	c4ca4238a0b923820dcc509a6f75849b
SHA1	356a192b7913b04c54574d18c28d46e6395428ab
SHA256	6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512	4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2412-182-0x000001F471FA0000-0x000001F471FBC000-memory.dmp

memory/2412-183-0x00007FF69B190000-0x00007FF69B1A0000-memory.dmp

memory/2412-189-0x000001F472240000-0x000001F4722F9000-memory.dmp

memory/2412-222-0x000001F471F90000-0x000001F471F9A000-memory.dmp

memory/2412-279-0x000001F471E70000-0x000001F471E80000-memory.dmp

memory/2412-280-0x000001F471E70000-0x000001F471E80000-memory.dmp

memory/2412-408-0x000001F4720A0000-0x000001F4720BC000-memory.dmp

memory/2412-554-0x000001F472080000-0x000001F472088000-memory.dmp

memory/2412-645-0x000001F4720E0000-0x000001F4720FA000-memory.dmp

memory/2412-650-0x000001F472090000-0x000001F472096000-memory.dmp

memory/2412-655-0x000001F4720C0000-0x000001F4720CA000-memory.dmp

memory/2412-674-0x00007FF9FA760000-0x00007FF9FB14C000-memory.dmp

memory/772-686-0x0000000004170000-0x00000000041A6000-memory.dmp

memory/772-687-0x0000000073380000-0x0000000073A6E000-memory.dmp

memory/772-688-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/772-689-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/772-690-0x0000000006D00000-0x0000000007328000-memory.dmp

memory/772-692-0x0000000006BA0000-0x0000000006BC2000-memory.dmp

memory/772-693-0x00000000073A0000-0x0000000007406000-memory.dmp

memory/772-694-0x0000000007510000-0x0000000007576000-memory.dmp

memory/772-695-0x0000000007580000-0x00000000078D0000-memory.dmp

memory/772-697-0x0000000007930000-0x000000000794C000-memory.dmp

memory/772-698-0x0000000007E70000-0x0000000007EBB000-memory.dmp

memory/772-699-0x0000000007C20000-0x0000000007C96000-memory.dmp

memory/4520-713-0x0000000001200000-0x00000000015F5000-memory.dmp

memory/772-719-0x000000007F420000-0x000000007F430000-memory.dmp

memory/772-720-0x0000000008B50000-0x0000000008B83000-memory.dmp

memory/772-721-0x0000000070080000-0x00000000700CB000-memory.dmp

memory/772-722-0x0000000008B30000-0x0000000008B4E000-memory.dmp

memory/772-727-0x0000000008C90000-0x0000000008D35000-memory.dmp

memory/772-728-0x00000000066C0000-0x00000000066D0000-memory.dmp

memory/772-729-0x0000000009050000-0x00000000090E4000-memory.dmp

memory/772-805-0x0000000009010000-0x000000000902A000-memory.dmp

memory/772-810-0x00000000097E0000-0x0000000009E58000-memory.dmp

memory/772-6359-0x0000000073380000-0x0000000073A6E000-memory.dmp

memory/772-7091-0x0000000073380000-0x0000000073A6E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5	a3ffd2836df80cf08ee311f181fb9b9a
SHA1	f1ec4d250313d1b5d67f8f04881c63c66117ffb6
SHA256	2065fc05f5e371724fcbb9f5bba2a128794dbbb24b5b3bf89848bc116dcc5086
SHA512	acb77aa5718e4e02e07aa66a4b26a671032a784ac8171801ba41a14808c79a5ce645e77f1bde6198a4bce74ff45a1bb3dd19b967542d0637d8c7e51ffcfe368b

memory/2568-7101-0x0000000073380000-0x0000000073A6E000-memory.dmp

memory/2568-7102-0x00000000049A0000-0x00000000049B0000-memory.dmp

memory/2568-7103-0x00000000049A0000-0x00000000049B0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	03d65fb2c32847d64350eaeff1b2fd84
SHA1	ea48225c0bea5dd76ca95bad0aa4db7d83e9493f
SHA256	791fd6a120b79ecf6d266c31009722940604cabe95932d150ba3d745c3efd451
SHA512	66c57956ae71eb44a1210f5f0f9350b075d0b97736d471edd2385ccc1c5e3bc51abbf7676b2b7fb2de6683eb2fdffc9511b89eab43a130f2e454b67c3064b363

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5	5b42f781e9a23d76727594d2444bc3ca
SHA1	0009e3dfda0f0d969c13ee4c482bd991c6bdaa30
SHA256	96b5d90f8b1b0bbf04383e14df6a360b3b08abbbf34a8c26629edf8c073a367d
SHA512	7d93b17771267a8abb983271e73304ab68e000c3c411ef53456aa6288a6086c9bcb924222469a753ae8f5763888ea72391ddc32313a358dbad786d9a5badc18c

memory/2568-7124-0x00000000049A0000-0x00000000049B0000-memory.dmp

memory/2568-7125-0x00000000049A0000-0x00000000049B0000-memory.dmp

C:\Windows\Temp\QLOG\ThreadId(7).LOG

MD5	9bfac041dbddda0e1fdb42465dde7583
SHA1	040a6a37de3ac50b0de79485b2f28e997e539deb
SHA256	07edfdc2b9a0d178a1c50102583469128a01c3f2f349b48da8df02ef8a9151c5
SHA512	41b4b11becb15f876f3d3394fc3a1f26bee9e2171de9357c2bdf72d1967fc72fca5b33e2b7ddc72381f4e669eb568152a5e60bd5fa1e38bcaa34198671249f42

C:\Windows\Temp\QLOG\ThreadId(7).LOG

MD5	9399974a749132ef2371be737b1610a1
SHA1	4a13cf6c7c4ac57e7cf1808f9ea54c97b0e28fdf
SHA256	4fb972ea442843b943e0878a43f84f7c01f07cb718671f75192a06fbff046380
SHA512	649485b65e7fd23589012f78168730b884b78ad7e441c187181f898dd46dfdf969ee2e236f0bf0e90d4bcbd3935903a65546a4fdb1686101b7a2e1891f57a727

C:\Windows\Temp\QLOG\PANIC.LOG

MD5	1d5313fd2bb669f1138286daf72c171a
SHA1	8812ec1f42a8dcbdfe903c61738b89b85643d00f
SHA256	8d5e0cff733142672b4d86a8a55f674b7fef86389aa4a4cffba3e180b8acdf19
SHA512	ba11c3811d026f75755d25f3c2ae6ce4d3d8dd50640cce6634d2b940090f07ab5b58717d2e0ab27e207f41892b58551c004d1524d9500e12009d6011dca8b0ab

C:\Users\README-RECOVER-QTduEqZI6Q.txt

MD5	97470255a6601ea674972f54eda22b61
SHA1	0d06b4e74161674011cee5ffd1ef0042c823888c
SHA256	2a59902ffbc5298bc85801475ee0aec2145643fb89508f341541207d632c3b95
SHA512	20898f45cc638d759933805b982cb76d12538e14a93e1156dc95faf7f44159abce4f0c3faedfda116d49595a1f3937f6738f9d688d2e889e9693ce417639e142

C:\Windows\Temp\QLOG\ThreadId(18).LOG

MD5	ce795d8ad4b99939aa9e3f0d9294f251
SHA1	5025814791b6768043f9c0f64201338151eebef6
SHA256	1ba7ca4d42f55f0ce8d3ac52a6d56cdc52fb8a4a1aeb82fc241ceedb67ea3b32
SHA512	32bc2e2964ea92886c9681228726aaa6abe0facd41ab6298afcc1016bf924b9db9e6dd660444c9e8759c8ed2e5b71dd13dba9f2316ba1d69c7efcce0554c411e

C:\Windows\Temp\QLOG\ThreadId(16).LOG

MD5	c63c720cf5910fb33cbc7812c591c1d5
SHA1	71f8d224c9919774034ab4020cc1a25815c1cebb
SHA256	c8c2eaa71e1b1ac7b627c0a67124e62a37cf09823f2be28897f9c9fbad46c297
SHA512	4d3a60f6300587d91a36f5a20323abb6d79a78a14c0c59c135678006c076d4abff0ef56b1e93a4de9454c9e124edbf27c07e676982020053c3f5525176bad9e4

C:\Windows\Temp\QLOG\ThreadId(16).LOG

MD5	f73d45f3063bc28dd52f79890c5001cb
SHA1	7a94724cf568b99bbbd19e688368e71afdd96301
SHA256	d5b2ac3f13aeaf367784093c03bfcc9017f2ee9304752599a357def73b82c548
SHA512	8ed8c6e02ab3cf21fc9dee236c95e7d269ffd30ffc07efafbd3f7b732aa1255ba9cccddfb0f17fa350e13327e9aa07edc25429395c5220e3511f55c83cd19b7d

C:\Windows\Temp\QLOG\ThreadId(19).LOG

MD5	cf32250209b784468342b99e011b0d80
SHA1	2b7b8ba1d9c4190084190f1deb6a2d5cdc89fd82
SHA256	14064866526409febebbe7a3ece4f51e007fda6f3732fe2625d9e81d903ca57c
SHA512	94ca573133552a137a69e6b38aa9ad1fefd34bbec3ffce8baa8ad24f2c9cd881603776244dab93cc455c1c2ac86679542562cb4a7fb7d6556f1a5d99d9ec20fb

C:\Windows\Temp\QLOG\ThreadId(18).LOG

MD5	faba6b97e4143d199a3200dbc3ca90b4
SHA1	771814e77aa62b58fb2bdcc12a8c9ba24470dd3c
SHA256	96180d02aff0d0fb34d020b9c9d12ee824635466fda18670011eabfbc8af8bac
SHA512	cd9d7c94bbf829cb0f1f4ddf2afc7357dffa68100be9129fe0816cda00b8dad147d9c1493470ba1ef0498407898278e670792308df4f29bf5756e2a21b93787e

C:\Windows\Temp\QLOG\ThreadId(17).LOG

MD5	a416de43fc0a86576f0c2c1ee0322fe0
SHA1	0485e53ca4d3fdaa9a7674b498b03f25ce4b12b0
SHA256	0d18471ddafe665367b01508d334d3777365db7fb0f4f0359a50b0721eda2fbd
SHA512	274ddd0f165cd105db2ae5a99ca5807acff629920314508ddfd445c830d4b216e2e6c48d96c1d5f215047710ea75462d93ab5f529942e6d02baf8e746ec31b3a

C:\Windows\Temp\QLOG\ThreadId(37).LOG

MD5	64db33b9c1e122bacdc5cc59d94d1154
SHA1	d9f482fc43a98d09f3629d4c346d613efeca3e5b
SHA256	55e35431b132692bb838b937de1d18ce14e36fcbd43f932bbc6fc24cafd61616
SHA512	f39355e7212da11d52dc62a7abf9aa4360e8dbe12340698d764327e3e85b15309ecc2d32181cac3a3511bf5181c700cd52bc8769269b7a5a042ec20d6da76265

C:\Windows\Temp\QLOG\ThreadId(46).LOG

MD5	2783547b506f3e17f74c15a68d1d81da
SHA1	36ad1b9bbcb70cd30c5834a3f3802efbec8df686
SHA256	e981fb7b067c0a65fedd3f9e33b8af1ceee4ed3381c5fe06e539d4c24fd434d7
SHA512	a692b5e115aa73b4a3f42e34f53f13aa4f300e6be5299bf80dc5d780f846b4e7a5316fe4f66815e0acd13d4294dad63ed5acaa39eba86f7b9e76a7ea742ecf13

C:\Windows\Temp\QLOG\ThreadId(46).LOG

MD5	e37c4083519ee5099b5219df807f63cd
SHA1	8a1c76306c1ea38ab6cef1cd3fa9f17698667c8a
SHA256	6c814ada1ee5b468bff9d156db0c7a1affe59e76c859bc7048d8a4be0bda9497
SHA512	0cf2121242b1b30d60a6d0928c1812456abb08114a0fed988a02d12848ef5f6676064fb6e80bd65fa54ec707b61e4a3c6d06b0ca40bd4c79f8f578d2d18fe21a

C:\Windows\Temp\QLOG\ThreadId(19).LOG

MD5	889d3a452e68fe771a716d239fd54e5e
SHA1	5436898a13a9a1cf04bed52e50fc44f3c13f6271
SHA256	60b80e7af99db29ff0436d74ddcc737f9dea40e74d9b021663ac8bd42e08ec5e
SHA512	27b3434736d3ad0f631487fe6c8bfd840cad2f2c81d42f4d0c4efd4c049b98cafe9a8b6b285d9f4cadcef647df4c482fb63d8a8815b2900709836af8892564be

C:\Windows\Temp\QLOG\ThreadId(16).LOG

MD5	89cf6a08feceb19996886b85a461e53a
SHA1	fa9c21561bbd129667877965f969d91b6f5b03d8
SHA256	b904109255bf502d916b415570663bf54ce472a549a38af350362f840c46288c
SHA512	531a0ff808bd3db367b3233746ab748da45472496e9b0f1b751256eb3c00d8ede9456f56577966fc809bee655a287b1d83c659a53c2e7f2db54006e8af1eae0d

C:\Windows\Temp\QLOG\ThreadId(18).LOG

MD5	e3fcbe5c2948faa532e042a3b10482d8
SHA1	bc7dd874d8c501b0ac085f73249330fe0cf0a7ed
SHA256	81a55f29d926e4d04e6e8cc688987c495f1f9eb01ad57ad2c06792e8c6bedaa7
SHA512	c1302d1c943378d3e4b68e2641d55c962ff91d557c64358f48bbd31751986414473443dad1cb487f22de1af7c8c927bb4ba250bd1fcc9dc4a535145e3776331a

C:\Windows\Temp\QLOG\ThreadId(35).LOG

MD5	14a3ad4bc10090cd0b9c374ea0c63ff4
SHA1	10a00d3c4e5f143ead8ea57fdc2bba1ff9a7bab5
SHA256	32ae2c2be0e57bab2bc25cb1dfa89b5531248becb5b94b4887b436549d38286f
SHA512	fdacc96459a32229674622cb073c5bc66a7e47608313b14eed442ad7ba034875b0dcc40333d54c71df04c56609d7303012049493bfa038b9e223b86eccb66a46

C:\Windows\Temp\QLOG\ThreadId(25).LOG

MD5	e2141091aed8b687178b6d94993b5e92
SHA1	624797a28b2a9951eb9b356f56dabeb324d3c2e0
SHA256	339eccf4aee3c7545c8c666d513bcf511d782005552aba028bd0abb0a1f3b133
SHA512	b3d607c98d0093d6b4eef1489343e1062ad02878a050b5d6c717c4e419f1136b2f5c2d32e9d4779e93647e489c87f0285298341c829a3753a5b2b9817bffdf6c

C:\Windows\Temp\QLOG\ThreadId(26).LOG

MD5	e9d564c7b2d2a89c6b3bb321c2b433f6
SHA1	4e74c607924bde066b01bc3105cdbd9203527818
SHA256	80714579d98dbe9b887865ca7940ae1a57557bb12fa603456a5623629783efbc
SHA512	138303a4a59a8bc5ffd0e81dd0e76ed5b29d6569afe5d4c5c31c908eb2bdffb086a4b65b3f1e418f913d3ba224d100bba1de1269bf0a121cdc1a97936ee678e9

C:\Windows\Temp\QLOG\ThreadId(37).LOG

MD5	4dfb2aa6e1c2b310c7292338f3f53795
SHA1	466e2d42fd45dcce9ea2147ac595c91530073112
SHA256	31b14faf6a8e06d0424cc384fa53510bfd9311d3da717e9f53b39ffa77a06db9
SHA512	d4abfad1605595d8568b53dd428f39b92824890c86d5bc026181c634ba123d1d7d84c2bc40a0d48c07ea9984c3a09a96704de7e02c9af2714be4a28e93c4418a

C:\Windows\Temp\QLOG\ThreadId(45).LOG

MD5	e528a48cbb48ba600df69ecf3c8b6e0f
SHA1	51c32b59bd04855312284a53a79e1e4c94f1e20a
SHA256	f7cd94f7ca619441723aa173c659660f5ef36a935c18ee232f632f5b2625cc78
SHA512	2d8a9673b8adc1ff0aaef96a75d31e480af678665e2fdbb0bf65c793f2b52247cb864e02bf7381da37c9a5739641ae0cae99a6a239e7e2c8ef4d10bcaac72a86

C:\Windows\Temp\QLOG\ThreadId(23).LOG

MD5	756bb85e6eb7ffd92a910caa24d945ec
SHA1	775539669973d63aaa02417f544c2d458b2ee761
SHA256	d9df47c2a8da69631eefb5e6bbd8ba2b4c2eea7c2a6194907359251ca0a344c8
SHA512	5a6a87356a80dedbc0ae400c86e9c016aaa5b1c3fcfd41074cae0ba2cd09c6fc900f3c2752d45ff642eafcee64d0d28bf3dd093ffd74db92c9400bd464993e5c

C:\Windows\Temp\QLOG\ThreadId(39).LOG

MD5	7a564c7f74056c6b27e9be46626e466f
SHA1	82a9e45fb6ed112614946e5e26ed9efef7cd5726
SHA256	338585989e917304c127d623eb48c8434b374a723ba729a20771128e05826a5c
SHA512	8372636a95ade19f4c0691a30f27533e8b8e18a29a5236bf5330b26d562ab67f707a675a9cdd666be0e3934d9b74d9e78ed69e11f9a1f91bbcaadbb1c9a70c09

C:\Windows\Temp\QLOG\ThreadId(44).LOG

MD5	1fa3157f9a196e2367c6114fa76a5b70
SHA1	b4def7ef8662f32b511111371c0c5e5ad06c10ac
SHA256	ee5563eea908d7aaad652f9ec7b9a7ebddced152aae6673c0ddebbbfb77681a2
SHA512	13b540e9b52b7187b02a17a92527aa2c15657b957e4e3c16c42567c9c7f0e4fe844ce1ef8757e76057a3befc48b2830e7b4d6267b4600e3444e83d22a2104028

C:\Windows\Temp\QLOG\ThreadId(36).LOG

MD5	3b27827dd07bd98f6d34d62f6e1e71aa
SHA1	43190dcfd4220090c084a714a95feefe2db9c9dd
SHA256	076811fd3ccff97d0a104263a839c4b8ac8aefbaceeeeef4f6e52bca56cd83c8
SHA512	aa532d4a4c932c6854a594e5ab8a39ed5633eb79ba6cb046a0128fcb6acc977f2bee583692f12592c79999f1317a60d153b2f387f71499e281183f63880f3136

C:\Windows\Temp\QLOG\ThreadId(32).LOG

MD5	b3d5ede259a8dc4068d3eb0f6de5f0ae
SHA1	8cfef331fa847ddac0e7b7ceb905efc45dc15387
SHA256	70c47cef7b07b837ef90c4476b502a12bd1aaf253a6481ca5224701370fd3dbb
SHA512	eebe780ed45da92aafc319abfac76dcc4a9598d3c5c6369f04122dc839220d98337098a6b7552dea731cb1fe3c2d28f9340cb8f957dd951698eca581aab02837

C:\Windows\Temp\QLOG\ThreadId(31).LOG

MD5	2df4e696f7dcf2eb7ecaa21e4f40e26b
SHA1	1f662c0a9a074919df7835307936e159466e5395
SHA256	d6a5db038cb264c6058ace0319204911348f18ae06b3a805e54746af01847b2f
SHA512	8fb642f91f1983b33e5b4e88bb7847b11be737afe09d23b81d1b9c4e4d716320a7135e6e89252f23e956bf7af2402a59417b54ec4f7e89f0672e772bf920f444

C:\Windows\Temp\QLOG\ThreadId(28).LOG

MD5	bc544bf7c4a3ce3a4197a29641135038
SHA1	cdc7ef5ed98fa7c617c0809c425d5acdb69d4563
SHA256	c92d20c7c560ad0d9161277bd7785ebd8ee46943b8956b1c1378b4e80781b0b7
SHA512	2727917699f3aacac4a5bcf0ca25c41e9dda97160f11674765d76c5ad5c5fd8d687c7cbd31acf5f9cda62a1a41f9a02429a813fe6a025faf0ab60727bc1e5517

C:\Windows\Temp\QLOG\ThreadId(21).LOG

MD5	8ec2bb78470acfe1a5c91b468f833f36
SHA1	d4e9c281514f8fc0801c881161112649811da60d
SHA256	ef1fa2a0cf2e5ca8a22de2ae57b74711a87e77157a141c7cbbc7c5271396732d
SHA512	105275b9782f9d180fd7dcb1d5fdefc84167e4f4b6a867d2c9513eab3529c6c2c26b1f6d52a57531b4ef2e703ec30f36473339602ab659b5a989e6637f6cb473

C:\Windows\Temp\QLOG\ThreadId(17).LOG

MD5	6bfbee6f127bb006e2d6cb3132bcde29
SHA1	438d6c7013490712cc2ee1a0a3b720e536331bb4
SHA256	2a11d06d691130d421e0469747b8f58d962cd47377796971c058fc8541504112
SHA512	ce0e9dde32a62a71bcbd3a6fab7fd83f119908de943413ca0d3ecc2535678a4ad64880094423b0fa86b0a7ce05ed6bdbb495000993bf0ddacce9263c6c7bad9a

C:\Windows\Temp\QLOG\ThreadId(43).LOG

MD5	80af070eba73bcca9989cdd28d9dc4bb
SHA1	42bdb4f31555c33999c91a1c1af38d0710a2b4bb
SHA256	e05dcf39e4c9205ed0c93e0a3f8d97db65be7b79ec83f36cec4aaaa70f28b11c
SHA512	d52e04ceb7eded77c0afdd5c863c0b50b25797680fa79e853c39cafa6450dca10975c16714a33332f2ccac257c884be048fd46bbf66cf34e9e364a309e5d7548

C:\Windows\Temp\QLOG\ThreadId(38).LOG

MD5	dd4019b3d3371160bed13801008d2b21
SHA1	43f69d97428eced68ed251fdb914a0425ea5341d
SHA256	6d27d50c2a502009033992fac7ec02c3241e41007ed1574c23ff85837e2e642b
SHA512	238b02c77d3e22f5d6302e57eec66bd8f076e9f0286d20ca831e0b3f7dff2cce79881ff76a5d613459d80b029c83906053f9a39064535e0de32cb63221787d8b

C:\Windows\Temp\QLOG\ThreadId(21).LOG

MD5	330ed9927f5c7a5b239f518033bf2843
SHA1	6882f8da71bd7ae6f4132e43b9c3965019cb8a6c
SHA256	a70b57eeaec21e7ad75fc3f4ba9488ebec6507c9c86e7c0fd88d13c7a728b65d
SHA512	594664c676d4166335a4c0d7520d0309ca6bb81d9aafc675ad0cbf1c44df13fa8816553e4dd593d28ab5b15904884a0370262ce175ea4b8c05a3141d8f71eaab

C:\Windows\Temp\QLOG\ThreadId(48).LOG

MD5	f009ebd12947d95a357fd8d66cea2f8b
SHA1	dfa136cf60c382e61421766b8252384df546366d
SHA256	6871223dea39d242ebad0de8aabd538d7eda7abe0512287c2e27d8ad7449eda3
SHA512	ec29473b5117e37271fa843f885d210a944b37c48103982f600e3396a53f6b3fea439f0927edb887a0f2dd2770af19c706ee208d9ca15b891eb41c845d5d4be8

C:\Windows\Temp\QLOG\ThreadId(32).LOG

MD5	e793ec6f423573181b70cce0f3c17393
SHA1	6c5d8e3a97b8de47d5c426e53817164680581dd1
SHA256	50b265422a2c35ec1b5bfcaaeb9e75e1e2204688cd507711c0c24f99646931c7
SHA512	06df2752acfb1cb672abc5d29ad0ffa3f54f84699aa0606d23d4264ee37b65209751d777f02a99db9a803a59d4a8bfe08b8d7f0803cddea0129d24b6498b0c44

C:\Windows\Temp\QLOG\ThreadId(16).LOG

MD5	33118ad7e18e9d9cb190a1ab4b8ce21b
SHA1	0d809764d752579e23e3f365fedc6931b2b72d05
SHA256	6a0f0378d9c776a98ee87834991fcc40a59979aebb1260f147533bf9fb127b08
SHA512	77cee45f352d666c7ab8a51c03cea0e9878db53bf6252ca39098e786f1b0d02a6bca7594b545db47088c73b38b4b94e54201ef452e07014435e88aa61ae1513b

C:\Windows\Temp\QLOG\ThreadId(36).LOG

MD5	9b3dc1b419847ffb15cfd778e13d1ad3
SHA1	1a24060d694f1ea1d7333dc7474a4b5ef62040fd
SHA256	2c3ac4e5a9ded24567cc3e99b3f65ca8a8eb9a29bd2c07b46ef42d3256f3195d
SHA512	b6da2362a3f470340c2fcb4cbd99a58e26abb63287545896990ac9aa506dc4e19c2d135bfe211c11609c3329496a54c64a91e6a692b7b4745145087f35dbd2b6

C:\Windows\Temp\QLOG\ThreadId(33).LOG

MD5	38611a6c177ee43412a5e129be274e4b
SHA1	e03a4c5194e8fa19cdbe89f1472a6197e271c89e
SHA256	cae29f69d7a257f7363f0468c504d612d6e67947670ce52906610936f4f30454
SHA512	37517e5f54e70a47a54bc33999f3882092be2984a92223d1065352c7f98aab7400e3a41f5d9ea0429bba2d0d529b100d4465962a28a9e9f4744fdad9098fc44d

C:\Windows\Temp\QLOG\ThreadId(17).LOG

MD5	3be7e89ee089b87455cb1a21815ec96e
SHA1	589ffbb7bd78c057ef8f76163df34b137aa10d25
SHA256	02a17d7a4d12188dc2d0c095fe7dea7641c878f4393322d057c07523c60ba74e
SHA512	913a3a7051446d28a41efafda7b6814ba2426360129d441e207405d5ba50f6bdeee2369243b751b7a4e70183f49cad5355a09bb95c6664bf49d486aa592b203f

C:\Windows\Temp\QLOG\ThreadId(24).LOG

MD5	23ee13b8ec92eda03f93f119568cc3c3
SHA1	bc81049bd3540ee9cd3a259ede1dff4a65e69643
SHA256	9bf1e8a8de70405dcf0ccb64a9a42feedf5ab5272081f8a4db269a00f388209c
SHA512	1bf3f7ff273ebf9aeb892d31d8eadcebf6c549077eeeda19224341821c86317ec7dc30bdf80c9e53bd14a326534e76f022d6033984409278887ee954e3308126

C:\Windows\Temp\QLOG\ThreadId(40).LOG

MD5	d8cc8e68843cbfcc82ce08f9070b2e38
SHA1	3307ac727e415b8ff9b121d4611468e10a4d2948
SHA256	64dad672c9b171dc8e6d6e601bd25f118b8193e50eec4ad95256fc8f12273133
SHA512	606844296888f3d824aeeb8c529c793579a985db64133054949ee98d01caca2838cf62e36950313f0f0f08b79d2bd08c52123030e392f7c19a765228c6a257a0

C:\Windows\Temp\QLOG\ThreadId(37).LOG

MD5	b193a08d58d2bb2428d87a6c56fcab19
SHA1	d674b39c364164bd7ecfd824fce1aefb48899027
SHA256	b99eb3986d5217bb2c0b75351d43e1be592e4b574221bb2800d3a22a9e4b9032
SHA512	99c892e397ac0c947ad0162be9891aa7d77fc08ffe8dcafb5902c4b0f2e54ed9991cab011e68364d83f92286da16dbc74afeb1edc3adcfcf7f2a01f24cb8da72

C:\Windows\Temp\QLOG\ThreadId(34).LOG

MD5	186fe52f1a3e68bdd40c2c80c9e86131
SHA1	11197e26a74f3d7fd91af935d923665a144da104
SHA256	032a1b95f615703e73fdd8cb841d613e42de1addca7e376674c982a83201fa57
SHA512	0a479f174b2f3022c15678fa2e153131d4244d6076a49ffee43fe793024768bc839ba345bd2221b981051bf813861a4f965e945aa3928e73a21159b73d70d996

C:\Windows\Temp\QLOG\ThreadId(31).LOG

MD5	6821701532ee6c6bb3f6a6d8d3a82208
SHA1	56c99bcb88ede0d137758582308b3fdde5a75516
SHA256	3feb77e8c4215987542550b4a8e126fc78494e8621d2a63dca0632da0ededcf7
SHA512	466314b2a7c4bbf94bb21226f8a413b5d3c0f7448ed52f6738cf3cb2c4e430b5b6f0240d82231ef11217aae7f2e6beac7869968f50c3e57222632fcc56b6294e

C:\Windows\Temp\QLOG\ThreadId(44).LOG

MD5	746eec2f8d4c5852452307362ce2dc98
SHA1	f8473ba948a863f1198fa943f9241f5124a49e77
SHA256	19ce04b56aee5b24a096674b1d2d85a8bb6cfa4c540b4cc0bb9a626f0cc116f2
SHA512	66f8a4b9c7a4b8aef37098b4194fa546373b0b91540f0732d117bb330fc8f3cd39be58a8b1db5cd650a025f672ae62629def7a50d90226236c877c2e04884c62

C:\Windows\Temp\QLOG\ThreadId(47).LOG

MD5	6f30efb7542b0a0f651b34f09b80c3b2
SHA1	bb5922e5f3f247c6e9417b494237a43202f01e08
SHA256	666f0bd4435b8f752b01189c3315d3bab356671bfdd19455195276d778fa2cc6
SHA512	092ca2b25a675e75af725310f21a30ec96770850ad190bcfa9e95e29f175927fe8a51fdec9ae23c3c5979fea43dd4f0afa9244fc02f345b2f12903b0b7d37ac8

C:\Windows\Temp\QLOG\ThreadId(41).LOG

MD5	6d46b724302f60b573dd7269e656b452
SHA1	a62f7ade6e7def8a2b6c11348ef5b2dc8f44d252
SHA256	3eb224412de2383f50e2e19184ef939061aea76ea570779dfaa9a5b6db43b662
SHA512	253c3109c05f8eb508b8e031a73996b17ec377d8cf5629c58e09da722a28db71b3124b916f2ec1b78f941de2eb532738513d029ddf50f964fd09901ad8130227

C:\Windows\Temp\QLOG\ThreadId(25).LOG

MD5	3e15cc5a476086d938176426c7a840b5
SHA1	06713a2ebb45ae4477512f41f62dce21c31313ab
SHA256	0e9d3a1789cf532a851ee48ebdb0200d840ca2d7b4e9216d814797b854a47b0d
SHA512	3e2c3dd37237c3fd56241f56d05057076daf72c2a57a5a2c13f2a7bf7b5064c83dc82e4e7fa4e70d14200ed9bf989817bc63570f6c31bfcd09a924de4b7daa06

C:\Windows\Temp\QLOG\ThreadId(30).LOG

MD5	5ddca2f9e358e9ceac90aa82f14f5bb0
SHA1	f68b7129b6e2e60521e06e2daea21c7320558f96
SHA256	0931841779659c73ce2a3fa406e9272835c130206438cf98a3e24e1a4cf84945
SHA512	b66de52ecbbbf5914972221417f1e093de9c0c3e545376c625743b61042b9192c98bb3d4e2b49469373190a8d659970fc2f28baead2c021a307b978d1d280bc4

C:\Windows\Temp\QLOG\ThreadId(20).LOG

MD5	03303c03012e402605aed21f0292b49e
SHA1	74fc24632fbdb17f497b9a50b17cbc42df2dbf07
SHA256	d398cfa73337d785a8adf60057725f1911af17a1fc7944cda8bb99e2ec71b54e
SHA512	6e3055f52363d338fa09380b856866bbe2c388d9178fe631e0a5c14439eed46d23082325dcc87739d34b1635958c5031bd60f95e22617a9b37f848848154dc20

C:\Windows\Temp\QLOG\ThreadId(21).LOG

MD5	ef22b25aff0acd461e212e6c8581ba81
SHA1	258011b8c8c751ebd600713c736fcb578ef0448a
SHA256	659788a7c7c3f930e76d3060a1f032f4b79e983976faa103ccec619dfa2d6e80
SHA512	f32e66ec1bcc417667f399bf064d43c1ae0975744555ca6fd460caf3cf8cf2ae631671ce9b7c4c6c1f38d2d5124f81dfc8c830ebda3ae63c6135397e5cbe8ceb

C:\Windows\Temp\QLOG\ThreadId(26).LOG

MD5	4b113c1478abf750a82e6c655ec65964
SHA1	cab93c8c83192c1821f3a1c9e6b440a4aea23cba
SHA256	28e0978c962588534e469f200b6c952f6ff7192ae14984d0aee93fb763f61ecf
SHA512	1f14100b22d1293b1a1f28b653c58c30c04af8779f8fd74d007fe5873e2cdc4f85e8866fc45e4411ed5e64b7911d03f67e2cf17a48e46e0fda25b6435f373610

C:\Windows\Temp\QLOG\ThreadId(38).LOG

MD5	c18d2dbc8a47c7721cb53f11fd848f52
SHA1	8c00b6b23c24beadf6cf7286288bcdba0455734a
SHA256	56c42dbc040d3df3a75a57f10872cb3f33d5ad27defed0b194005bb650e63c5c
SHA512	3e3160f43d4d4d92fec897197417dfd498e220b648d7f02a56993fbcafe179a1afe2c2d86b228aa8414131ba3540407c69e6a0637725e8883ad91de2d190f796

C:\Windows\Temp\QLOG\ThreadId(39).LOG

MD5	977ac83ab98f15296f9cf2deaab7800e
SHA1	4e66207073a4bb7c5c1a8c3a0dc39a7500ad1a6c
SHA256	a4ffbfdfb41fb8819ff63aa72d64b0ebb461c59ff49eb11b9ae4bad919cae102
SHA512	710f00173f12065902adeebc3e208bf5ed638d3d8f97b0ca96cbd0658b7d785a53951499b3cceb78064dfcf0036649a923f6fca193ef95634afb85b67607a7d9

C:\Windows\Temp\QLOG\ThreadId(27).LOG

MD5	6d2cc4ce455729504447399d84f51af0
SHA1	f614eeeae387896d1adddfa0bd609c92cb0e65f5
SHA256	e9ec889b177e3f1f5a84dae25752a5436a1c1dbae88d271b990fb15ed3c49208
SHA512	915385233a5ea9e06e195b488a00cdf869028888033225c475c59f47b8e3fb344d32a48d5b88e8040e0d58fd467154b0c461b2dcdff1fd6c78fd21fa495eb2f9

C:\Windows\Temp\QLOG\ThreadId(32).LOG

MD5	79921cdbbd89b09033f1aad87f055acf
SHA1	5f7a37d28d75587d938f8c47ee5168e718bde6d6
SHA256	81dc7c996295a0379007a185d157b50ad678811cf3e92cafda2e252f80dcfd45
SHA512	6c260ca66900083a99272bc3e6f2203c47b2f78b94bff5b033442bdaa7d8019dafd1147284fd7a89c0af91f0b96450030bd4eb09a8dd6cee89b31e29faa31a73

C:\Windows\Temp\QLOG\ThreadId(28).LOG

MD5	6e4dd90e739d729ec2588479dd8cbfda
SHA1	7d9014d73ea17515b63d1e9c399cae85ed2707d8
SHA256	6c8884612499946fb108242a5c19d02edd0856a3ae1baaf4c8b56b65012d8289
SHA512	cc1e9d90e090f642dc2721b3049575b6f109a0714cb17e4a1a4fd1505ae50c80e5117fc57e8d73cf2089acd8ab42e574093ac2bbeb9830be1abb10d77e1e0cb3

C:\Windows\Temp\QLOG\ThreadId(22).LOG

MD5	cdb373101500c03524b584d7123acb7f
SHA1	737e8ea3bf757ecdf44645fe192c67fb19c7528c
SHA256	a5a5e437191cc37114c206adedb458fd39146a102ae491e91014b73c269dc5ef
SHA512	98b35bafa1c0879d9ffda75b3cc385ece43a7846127acbf6068e5995e569cca8d2e25844ff90fb8dd996de6be7ec8c793c49b1d3c5e76849922862ae4e35b418

C:\Windows\Temp\QLOG\ThreadId(46).LOG

MD5	80bff468b974fdc9e4e3857cd2128658
SHA1	9e8dc6ee19f9c7f8ccae1a509301f013733285da
SHA256	e5076d0114e4629e80a14eb2248867d440a10a16808229f32f124c51a491c756
SHA512	48a941afc3a2bfb6e1e73545ef36efe6c21e2dd9d5c4cddb796c6e552ab9a199d74e09bd9d214f5003c3859eb21b4e24801c1591ebcfe2b115ce303d53906bc5

C:\Windows\Temp\QLOG\ThreadId(17).LOG

MD5	e4749750c0cd531f7d0456ec400f921e
SHA1	0095f911f2ab3c8fca51930b085cd0b041bd850a
SHA256	b026aad7b0cec0ffe63b7bf36246b7443df5ab18130a37a6242915706c22d463
SHA512	653a92ecd4d1b6521f240db6af635fc43f863df09000046a9bbf02a67c873c1185956d5a3967c9d7f988995a42cbe4388a0ad30b4a50ea3556d5e1d652f0652d

C:\Windows\Temp\QLOG\ThreadId(38).LOG

MD5	93109a2ce5a8974eeebe9d5f3641248c
SHA1	7ace6885d09b399e6320875c6e3622f8089a8e92
SHA256	7d0da9af79f2a279d4db35bb327e52f68ed0de70feb5e02ddf985ad0c478541d
SHA512	3ccb3bbf22909fae8fb15cd628e7f69cd222b2383ebfa6cf33158054cc7de628c8d70d1ac3642ee458a6fee0cf8d621ae830a748ab31e427d0a4b8ac78a41bb7

C:\Windows\Temp\QLOG\ThreadId(39).LOG

MD5	f62427bbf925368118f87d12049f33ec
SHA1	f246913c4f6debfcf209d7c1e0071f9200262317
SHA256	c1f47d902d1faaf6ead0ce480ecbe618d0a577a981aee90e9d7d4e3cc741a11e
SHA512	7c32eb86ed710cfb1f5ad64fc195d3e458cf157d9ba34d3add4cdd4521eeef2c5d367572c1f589325c516c58e23a3fb49140f9335952914842d56fa2310dfac1

C:\Windows\Temp\QLOG\ThreadId(27).LOG

MD5	05b48f11ed4a0df26a6aec48929b99a1
SHA1	e53c74e81b74645dc205b9092ac167f76ed6fd0b
SHA256	a5b017424091c7beef1dc64abc91285da767519a1d31acf925a5c76e73d36cea
SHA512	1c19d87c85cee639e22047b10eca598097ba73f8f9077d2fd0bb4e8b4b1b332ff98ab221a708befa72fbaa1157e54684a386ae3635ce88795cb737dfea96ee9d

C:\Windows\Temp\QLOG\ThreadId(34).LOG

MD5	792d1b8b4ba03013a3bee2e12aac77b7
SHA1	e4f36d2ef9b16bf30cc58c9377577dd9d87cdf69
SHA256	732192a1259cf0aec45fa94ef729ce662444a0542fae95bd3b832474fd8b3378
SHA512	660f8005be4d3a0000e0de79b279164499f3ea13cd7065381cb97d8d425e00ff9741484f53c7abf41958bd09cf57058832e6ed9af718aa84f2dd2299a35f1b25

C:\Windows\Temp\QLOG\ThreadId(30).LOG

MD5	c759251a0d0afd63b169801f4b6a9148
SHA1	085a6122ec84f21ae45fbf335a5dbb39e2a538fe
SHA256	2feb27ec852f43bb63b214ea7f75f7ba868da118e60c986d1d8193f77c83f90a
SHA512	354007c9aa59bcc1df3268bb4aefe1959fa9816a767fba5901a877cd6e3e049d16951c368c4bde31ecd90be4b55af773453a9e8a306f866922871e09fd7c7d69

C:\Windows\Temp\QLOG\ThreadId(25).LOG

MD5	0a2933e02524dbb1215082d8c8318fcb
SHA1	ad3d399d636e9f720c5b9e06c58d5d2c8d16cfc8
SHA256	ded9d131d07854d2e965fc52a80e978fb6ed1024753d7d33863a742071072a6f
SHA512	534c4789bfdc476bf2326433c5506472865a7012ef33e6c9edb093a3650cce54b2f7ae3302afd841ac78d4ae583ee0920d55a50c006844cd72c1a8a8a36169e5

C:\Windows\Temp\QLOG\ThreadId(35).LOG

MD5	189065a3fd39590d7152d82ffcf1a435
SHA1	bdd38f805bd33f8ed47087090dea2978d3350e58
SHA256	03ccc9c5b75aeb2a947cd5286c0d36f9de95bf7105ae2ec3fae65078d7521792
SHA512	72d5fc1d2f9921c0295523de1581bad24bd6d2ade332ad4d2cc6395a253331d7c0faebee2dc0f4fbbbdae9054f8196ddef184c8ed0141a7a41ef340bc8c517b7

C:\Windows\Temp\QLOG\ThreadId(31).LOG

MD5	1c6a0aa9a407fc759d199b329a9c2506
SHA1	6bf6ed57ca6931ce1358d55ba14f73b91ac79a47
SHA256	b7a03d35c841bbbf027f3429a05ee1b4a28f713a1f62825488b458643e1a0e7d
SHA512	59f30a402d3a837080a211a158b6cbe85f0629d7cb77aa299ce5d18983e7444c9c39120f5d35aa6e5a26fbae9cd11fdefbf45a9124275b36cbe67663caa6357f

C:\Windows\Temp\QLOG\ThreadId(46).LOG

MD5	48056ba82b65d161089c7a676c00de56
SHA1	c4c5a58cda0b6beb8018d42e8d01cbeceb5b8c52
SHA256	559d249d640aa6be1917f7db9184a24589709ffdb6fce1c8d9b8831d215ab99b
SHA512	4c8d16c654c8e8d54db365c40977972bb74d22b570343fd693254315f0584853701a468b8ade39b1633f5086a35d22b2c32a2f46edb8a3bd17804affed464b2a

C:\Windows\Temp\QLOG\ThreadId(48).LOG

MD5	98ce74bcf3768278a209731cdd945abf
SHA1	09be07273ba252be1f749f3449f6b5baeea7ded8
SHA256	3c9fb7bd48f5142965c49ab1b8bbbfc233d6a01d1258e6284c2bb24244d3af6a
SHA512	193e994b79d2928e8da9356479a01e90f97ee390afff45837d26457f0b8bb713c9c0e55b753f2e5bc83d123d58d4cb6c5ac23f772367c456d4b4ec70c2b5f7e5

C:\Windows\Temp\QLOG\ThreadId(32).LOG

MD5	5814fc0157736b782260c5bceca2f970
SHA1	99b211ef70f7e3d44676bc481c3802a9d417a46f
SHA256	eb58b867649abdd12169d47f923977f0dca9936adb464b1c3364e379ed01124b
SHA512	65b5a1745e74e80c31e09ff28be17278772c5db4e7ec06c6acf960f02ae641edec60df51a25d064e9a7a27e61ab8198e4267bd7eaeb9e7fb713d1f7806bcc78d

C:\Windows\Temp\QLOG\ThreadId(45).LOG

MD5	962ed4f0327033e1b4b0d42ec084eca6
SHA1	51698678c3d1a40d59e93311faa11934c5f2e962
SHA256	7abb844d371fd0a518d2b381eb9e06cd9ca851e5e4e4c66be9e7cf0a502e4b88
SHA512	77b18cabea408af47751a3563a7d439f1c9313168192869e63d40c11e005baea10b259894e5718f0930bc6bd84152416b03254966640d5f3d74e5570d394d6da

C:\Windows\Temp\QLOG\ThreadId(18).LOG

MD5	5d113a20213bac2d80b051972f877cfd
SHA1	21984d538e60c4ddbdb8c29ce3edab423cc04625
SHA256	4754046bd5e9b8cf1f7626d8c2cd999b4ef5d0d6bac197bb428b25a8d2649352
SHA512	2da2412cc0aae60d89c622d5e008d6bdfc1ccb8059ab9da26b03dd9172f38c12ed5d8bb41e4235ac661a37cf15854c4a5d7997dafc4e8117d40cbf116dfc9619

C:\Windows\Temp\QLOG\ThreadId(45).LOG

MD5	962ed4f0327033e1b4b0d42ec084eca6
SHA1	51698678c3d1a40d59e93311faa11934c5f2e962
SHA256	7abb844d371fd0a518d2b381eb9e06cd9ca851e5e4e4c66be9e7cf0a502e4b88
SHA512	77b18cabea408af47751a3563a7d439f1c9313168192869e63d40c11e005baea10b259894e5718f0930bc6bd84152416b03254966640d5f3d74e5570d394d6da

C:\Windows\Temp\QLOG\ThreadId(32).LOG

MD5	5814fc0157736b782260c5bceca2f970
SHA1	99b211ef70f7e3d44676bc481c3802a9d417a46f
SHA256	eb58b867649abdd12169d47f923977f0dca9936adb464b1c3364e379ed01124b
SHA512	65b5a1745e74e80c31e09ff28be17278772c5db4e7ec06c6acf960f02ae641edec60df51a25d064e9a7a27e61ab8198e4267bd7eaeb9e7fb713d1f7806bcc78d

C:\Windows\Temp\QLOG\ThreadId(29).LOG

MD5	e6cc1844f788badc3814ce1501227f5e
SHA1	e6eea9e3679170e4b650b09a1bb583f1b4e9a5ef
SHA256	dd3b3115188b42bc5aabb2fed607c1548d5656a0119527835f2db9cc82f4dc63
SHA512	baf37e9e6636521c76cb5b84888bc4774a6302a9d9a8062f20ab8e547f0aeb1939a4be5882be75230332b94f36ff1ea83f108c5be1abe35f5e8d6dda5b4d76f3

C:\Windows\Temp\QLOG\ThreadId(19).LOG

MD5	3e08964cd52f678cdf7ff797a885ef43
SHA1	eb580999b1fe667cb72d11e03ae7aab9f4d309f5
SHA256	2143c46e5cfe8d508d303a4c5637398b932c28504acd3316552bc85df5531ee8
SHA512	96223cf7ae391f734b50ec7e02d50113d040db5fb4a9a93cfbd6915602596ede6c29e86d8840e385a11f0882eb74a727c095c81f17eeeeaa753601d9f6099f8e

C:\Windows\Temp\QLOG\ThreadId(44).LOG

MD5	bdb441813f26760d3c67dfeae660b695
SHA1	5f7b2b829365230a89e0d48f200c1eaac4eafc8e
SHA256	9190203f321547f72e315943abfcb2385bfbb25f50b266f470a0c0f15d4839a9
SHA512	868e47396fb6dc14455a777e60435caed6bb9a0787acab04d86314396ef65ad808aed0bcf9cd79507840a8a683b88e06587823a19d5bae0f0f0e01fbbc9778c7

C:\Windows\Temp\QLOG\ThreadId(18).LOG

MD5	5d113a20213bac2d80b051972f877cfd
SHA1	21984d538e60c4ddbdb8c29ce3edab423cc04625
SHA256	4754046bd5e9b8cf1f7626d8c2cd999b4ef5d0d6bac197bb428b25a8d2649352
SHA512	2da2412cc0aae60d89c622d5e008d6bdfc1ccb8059ab9da26b03dd9172f38c12ed5d8bb41e4235ac661a37cf15854c4a5d7997dafc4e8117d40cbf116dfc9619

C:\Windows\Temp\QLOG\ThreadId(37).LOG

MD5	24e734e00485e559ee44483db3b0b9d9
SHA1	b40afb5a1c1d020322fc1784a4e43dbf574be69a
SHA256	c85befe4b6353af1154a2dcd706d35dcd603f68bea5bf41f7f5601bce3f50ad7
SHA512	358091416c3c29abfdc309cc181facf21bd6c1f780b053c590663008bb5079581311d5a3f623afdba1774ae1a8609623a283a6f2167352d2326cf5b5210b4547

C:\Windows\Temp\QLOG\ThreadId(20).LOG

MD5	6d3491d632a06236108393e23ef7fa3d
SHA1	17d1878b8b094e54c9adfcbc1e2bfd413adbadce
SHA256	ac695035880b5d81e6f0f443b474d41bb1153af1218a992b70eb058109ea7b51
SHA512	00f518ebf5443a4994e26f82e6ad51a8390910ef80367631e8f8829be47311ce701f8f54673d0ccd4df7efbee585b94cf4ed337b5486800c5ad474f333e88830

C:\Windows\Temp\QLOG\ThreadId(46).LOG

MD5	678d24367cfd74f9c8f1a01f334b3e53
SHA1	9505205090f6e815e485f7910412e189d236ad1e
SHA256	74f0723b076d975b5edcb61ddb7b0c2b730d020503b410355392b1384c684e00
SHA512	4065063eb1561ebf705ac68b3aa1e11e377b4009ed76c62497ecbc15de88be450dcbe58a8f7293e4cd8bf024992093e48678ef62a8bf45764f64b9448a580adf

C:\Windows\Temp\QLOG\ThreadId(39).LOG

MD5	17b6a18f8b67eadcc2fbeaf89569555e
SHA1	192990ce44cfd5c7c19e2e504eced642d6bbfe5b
SHA256	d8f6962680c4f3790f76ad5c59b0e2e8bacf02684339e7feddd5125184de1067
SHA512	21b3faa4826013dfed9ca8983498574e8a88791067f85bc3709bb446e18a7c484d7bb2a6346b5af90e81f61cf5c357df0770daf1f4d4443e91eb8ba396013dcf

C:\Windows\Temp\QLOG\ThreadId(21).LOG

MD5	cc6a323499463f7918f99db21b6d03d4
SHA1	eb8a7c3f292939700e282323ccd52d4d5c6603cf
SHA256	b5869849653104646553ffb8a6b42b773e9faaa1f9b6a3aef9ef1d0d8347da7d
SHA512	9635517336442f35ceab6ff98cc311e04358e34721e41463dca1932266fc5fe8d7b6fae0d9e6c5379d13101d3a4752eae4c20f2b9dfd0d0b81056c8bdd00c122

C:\Windows\Temp\QLOG\ThreadId(24).LOG

MD5	53083c60d72674bfe8c797bf45ce8d10
SHA1	be8bfe2db2535d55e9d7e02f43a02077e7400ac9
SHA256	6726fe9f1979ebca24c6e560e0e5a3ffc0509f93ef28b296450305f8820402ae
SHA512	cf3e8510217a4ca7f3eebf2f5fcdcca7bdce4a6b4bf6db98864ecddcf25684b1df76f041861230fc5cb9bc958bf9a21111ad2a845150c2f5c8df9b7550fb3aa4

C:\Windows\Temp\QLOG\ThreadId(31).LOG

MD5	3e62dfaea7a68dc8dcc59268788bfc35
SHA1	bf7fece2705eefef937d3883071fddf44575cef5
SHA256	83d8477926cc97addbab61084a031e5bc65f2a79368dcd4beeb68e9e41710635
SHA512	f60ec600b777996fcc1fcb9630cf8584ea2833b33c9a739a8918578bbc95c9d47040a8f43fc4a196317292befd5ad88a870be7da58f29e1ebdc3ad8ca30c1897

C:\Windows\Temp\QLOG\ThreadId(30).LOG

MD5	0182bb795a25060cfb2941123c60bdd8
SHA1	734d94d0f8e3ce7083a7e32da92b681d82e43346
SHA256	3fa3c6c62cc10ad13bf8e33fae35c97fd6dea57b3ed0361a519487dd7d9586b6
SHA512	689c2d1610b3d5b2b54c41cbad751a1b9407be21f6dcc2dbf7c1e8e4988907d4d941b677b9c06f38239e7ee349991ae4dc4130a80b3e64b3e7eb62551cd60659

C:\Windows\Temp\QLOG\ThreadId(43).LOG

MD5	85920aa9fedb37525f388d11034a7e59
SHA1	5153257a6fdf25697c0b6d33d4597edf3cb3037c
SHA256	32332801b70af0ece326e5e23f0e55b8980ddec0d069d424dcf97d5ac7c00ce7
SHA512	5abdbeeaf2c3558f921f7751790a45e9d861abc5c6ad796db3a28c015f0b99349f2bd1fbed9aa1d575ad0a916a3741cea154985fd18496b95e8de0740aaa8031

C:\Windows\Temp\QLOG\ThreadId(44).LOG

MD5	3c9a35e5aac0ec223cbf436fe9641360
SHA1	7ff6e0c6eb5b2592e0287065a8744dc4ff572a36
SHA256	52dc6bea3c1de40bf1d3d62844e1344df2b93d15167d9ea54e2edd2584e93022
SHA512	932126e3e6305085087896afe9286e4419b28dea5dbe56f610b83dac13e916119679c6ff4ca270a4177e545b720f3a8c0984e9f8dc42167e9f55d77205b61081

C:\Windows\Temp\QLOG\ThreadId(25).LOG

MD5	fb13d489c66a4abb396a73b827f4bebc
SHA1	164e37076426cd0706afb6face01113608f96f3a
SHA256	63a362bf28973241b041a69fc0f5adeb337dd1e6b262722b9b2cdf99e1ab513f
SHA512	3a3676d3d5b08a634d046e3382983075c4bdd476698f640fef1b76bca3a86f0c76ac66b8b0e75e4eb21ca72ca4fd7cf697b17fdc7e81411e12df23596c145a40

C:\Windows\Temp\QLOG\ThreadId(27).LOG

MD5	760e8d55b277fdddc0fdcd8f1fc7abb2
SHA1	dfec120238b427840e96d758f582e3d42918c540
SHA256	79dfe22cad2d73a527e737065c92bbcefe927a59d755efb480fceb944bd5b6cf
SHA512	d65cdfdcf592357a963c9e143ad9ba59d050c3525b7000c3ebba8001bb5d15f768399d820e0b60fbb387fc668627b77f716ecab7c2136682bd9a224db35307a7

C:\Windows\Temp\QLOG\ThreadId(45).LOG

MD5	348f695207063ff614716de2fdbcb263
SHA1	b4a12afa4a32df60ac098d5779b612e85d99542c
SHA256	ee9bf4462b0bd2a894ab81ea9d3f30baa9a9c6b44d23e75b86bf7e390d38e5ac
SHA512	c6122835bc9ca8ac2a78f243385460a6c745580e40520e6d6a7dda387132cfa8523439f2244bb38b46f5c5c1a997b681187221a689a7864acbdb60ae1fb93a44

C:\Windows\Temp\QLOG\ThreadId(29).LOG

MD5	2320830c7cab6ba3145072855590a036
SHA1	094b8c15cdba5d71e7315c798c24d2c7c7106102
SHA256	0da1913cde4d9d6e696cfb3fc6e334420db8a59bc7d648bae02672def52b489b
SHA512	e26058770149608a89880a0abf82c62cfb9d2431148f01ad72c5885328d328aea5ae2f9319d422d75c74ab00e9f1a00d9e5d42542509170826b159a71d1c7a37

C:\Windows\Temp\QLOG\ThreadId(19).LOG

MD5	7d5661d797a49e83f5a40697e49e555c
SHA1	ab0e8a69d0c04546644bc5fac7f97d09d1b94ba8
SHA256	7be2bb567aff96f59dc2fb1f5f5642184a4fc497c0f0a4265032bf6502deb7a9
SHA512	9fa3887b7e0d9215fdca8cd8c8b861a55043d68896d281a192d6aaabc39911b35b2a5d22b3a80e95c22326641af762a39f9bbe5f7230713143e3a05154dee353

C:\Windows\Temp\QLOG\ThreadId(81).LOG

MD5	d4656b1e2ce5b02c4c85119a064c934c
SHA1	a1cfb542d597381a8c3a41e4e259a79a82d0f128
SHA256	491e76e44d7db204cf0a80b9cd207e74065b495b1a06117ae0da34fb5f6b0da3
SHA512	9400d1a3c342a0180975e8c39c3320b697a1dacade848bace9a14f4eb39e72fe6016dbe5b0e5d9ed6a4411f64f8248f6cdbef564ee8e7ff1b9b71c4a99e2c150

C:\Windows\Temp\QLOG\ThreadId(84).LOG

MD5	b11668bd368cab229133e59044b45735
SHA1	634b84a38754e79e517f8301cb0d416ad7915e6b
SHA256	ad34486b375f221e5751255cafdecb62d79dd01e3f78cd9308a4b990d5154fb9
SHA512	f2034c12b2bce11ec2e7ef0550656e273448f04280ee5a770a408bfb94a682ce6060581a75e65b9f790c91cf2f372b0d38341e4b5dd35a3164a88efcc46db74b

C:\Windows\Temp\QLOG\ThreadId(82).LOG

MD5	08373054678778e3ec541a5dd7f308c9
SHA1	11e5f59c45eb93e8663a1cde2ac1c0e9663f7721
SHA256	f74f5a372985ec8dea6fbc00d79dbbcd17cbe7dbe04beedd9b6d473d68eb5743
SHA512	dd61e9fe734809f8a7566f1ba9a796744007de6730d5c375c3bf8caa5afe0c1392e19066855a1864980f9de81419f9c7c0c5c6ef343bf209f14dd6913509d65d

C:\Windows\Temp\QLOG\ThreadId(89).LOG

MD5	cc2c43ede2418d8616b96327420de076
SHA1	4590638cdefa0ee56fc00ffa1322c6ba945364b4
SHA256	50660c162045e91ac56734c11becddd1a3b3374d8b4df6fd923b37d4ab7f2d3e
SHA512	97ea8cce165510d394a69c37bc0c37b370a86a1859844f891236ae13257bc023abdbc8845c67c5fefad5c390093ee017091ea953a0f12ce2012e23f423c4ddc0

C:\Windows\Temp\QLOG\ThreadId(83).LOG

MD5	94e36111fce4a51fa39619fd2b368d56
SHA1	7bb81da5ca6a6839ac9e28e1c99e6fa5a99b509b
SHA256	533ef44e222f713a992e0538d5e326949186bc11bb7c8202d194940db81b21da
SHA512	e68b47bf1006cf5ad553cf4a7522edd5be6ca0b6bc2181ab3f9e8eafae8ced69efae78518a27491ea98486f6388dedb1b4d2ed163069b9c887bc18120a8bf582

C:\Windows\Temp\QLOG\ThreadId(87).LOG

MD5	e0c6a9443cc18269ab4034afe669081e
SHA1	fe92a56581a470cc72b7a43f29e20a773a2824ca
SHA256	07d16aab4c48767ba82cee2ccfd58c89120fd7ae4049d9a43e25ef337f082e83
SHA512	2e49f05ed36c1fce394e805b20d0e4cf4f4467ea7fbe60b5c3bf277235fe66d44504cd86b59332bd0b1b48ceabd244083c86568e7272e837d1985d4a916e78d1

C:\Windows\Temp\QLOG\ThreadId(89).LOG

MD5	4c7a2ce8664adb5af052a712aff07129
SHA1	9cf1a405016f2e275402367368dfd08b4d8a22a8
SHA256	fd7d55735790d1127480b3d8c192a9010d0901c663fa25a74de0ea3a3241f893
SHA512	55b917c0ebf4cdd570648cfd28f0a055c3f92692ccf64b6dda55c0dc28b04fcaa11f8e6b90c37996cd2362cb02682452e872953d2adbd39486b8df641cf2e9cd

C:\Windows\Temp\QLOG\ThreadId(82).LOG

MD5	08373054678778e3ec541a5dd7f308c9
SHA1	11e5f59c45eb93e8663a1cde2ac1c0e9663f7721
SHA256	f74f5a372985ec8dea6fbc00d79dbbcd17cbe7dbe04beedd9b6d473d68eb5743
SHA512	dd61e9fe734809f8a7566f1ba9a796744007de6730d5c375c3bf8caa5afe0c1392e19066855a1864980f9de81419f9c7c0c5c6ef343bf209f14dd6913509d65d

C:\Windows\Temp\QLOG\ThreadId(88).LOG

MD5	2e9043bb8f0f301542093e6f889ff7cd
SHA1	4dc3017a0841e6f54d0e8056bc0f2f3b819cfaa7
SHA256	a8a9c9558b4ee3ac5c38756d00bdac0fbc5b22876a7412e22d4b0fa3a8baaed6
SHA512	1177e3a6e1de39133694ce4e20b4149a1f88634620456bed3a4a5c186f91b6d5d4945a1fb66ae4bd6602750972abab5d93fee8dce842589fb5831d10f0b478b1

C:\Windows\Temp\QLOG\ThreadId(87).LOG

MD5	115613302a333d47120738f131113e1a
SHA1	a777c2575683636331dcb95014c1a342c1df3c59
SHA256	815233a3b31e75c4341b23764964f8bc1f94aa327d6037644179355d5e1d8d64
SHA512	1c67caaf9348c3aaa1a994f3f94d654f2af6f16fda9e0fb3915bae9a3e30a753b40891bbcaea76a9149d61ec646177fd292c846bf3e62efc0a4b165ad764c7df

C:\Windows\Temp\QLOG\ThreadId(86).LOG

MD5	39ad34c98c602ec4463621230659dc0c
SHA1	2c99b010e4a0630153baba0212a8c9c06b35eaac
SHA256	856f456d87a9463cf5abcf8bef46e7587dfa12ae6aa660e1f3ddeea068783bd9
SHA512	66508141599b08830513bdfa139d8f482685bba8b473f15e5106997b5c8532463fed5b8d375b2bf146f652ad5aa33f2d8d587a5dce38f4f27d4f36eebdff1a02

C:\Windows\Temp\QLOG\ThreadId(89).LOG

MD5	4c7a2ce8664adb5af052a712aff07129
SHA1	9cf1a405016f2e275402367368dfd08b4d8a22a8
SHA256	fd7d55735790d1127480b3d8c192a9010d0901c663fa25a74de0ea3a3241f893
SHA512	55b917c0ebf4cdd570648cfd28f0a055c3f92692ccf64b6dda55c0dc28b04fcaa11f8e6b90c37996cd2362cb02682452e872953d2adbd39486b8df641cf2e9cd

C:\Windows\Temp\QLOG\ThreadId(83).LOG

MD5	6174bb17ec212b05f5e503e156193622
SHA1	7dc735282e6be0b2603538fc5b1f85cf03aca5cf
SHA256	32695903bcf09e356ff78334ec938f257fad442140ed14e6c322431ba3a7c7a4
SHA512	8792f6f2c3d8c5bbee96418daa98c5a35aad445aacf6a6c638c80d254dfde2fb61bf18ab94ae87c0130769b953dfc2eabef0ec7ddb84b1101796b5994ebbc767

C:\Windows\Temp\QLOG\ThreadId(87).LOG

MD5	115613302a333d47120738f131113e1a
SHA1	a777c2575683636331dcb95014c1a342c1df3c59
SHA256	815233a3b31e75c4341b23764964f8bc1f94aa327d6037644179355d5e1d8d64
SHA512	1c67caaf9348c3aaa1a994f3f94d654f2af6f16fda9e0fb3915bae9a3e30a753b40891bbcaea76a9149d61ec646177fd292c846bf3e62efc0a4b165ad764c7df

C:\Windows\Temp\QLOG\ThreadId(82).LOG

MD5	87db2ef45a28e79d83be86f20b0ed418
SHA1	60c57643191ed6e34302af54e5bde51b2e037482
SHA256	a810004b2119c8597855c5698d2714c69613410460cafa80a7bccdfa4b872f55
SHA512	d73dcd31d17311b285f7f3293d4039b1608d4a78b2a294b7289cc41faf4b73b43cd1c9ae13dc4931ce82f260a85bb4a3e53d55d75708b6eab314d6db44d9dd8a

C:\Windows\Temp\QLOG\ThreadId(86).LOG

MD5	048fc68ad87d97c99e4f3f93e13b9ed9
SHA1	f834fb48fc702ed6a4796635a6e2d50f064bdbc3
SHA256	a51c2cf703d3cbd65fab95b21a06412596afb0acf8a73815369ae9bd1906aba2
SHA512	8516ca513376389d514c47092af0cbfb96b0eeeaeb075a6d3ad86932ac248f35304cd5bdaebb477fe25f155293582054328e4e56716de5fabedf88dc2d98bed1

C:\Windows\Temp\QLOG\ThreadId(88).LOG

MD5	2117e79e05f1efa98e790fb7d60f7845
SHA1	6e3e29277349d91a7c89894e145b7d6e0df26171
SHA256	0fb8ab0a8d95509e40d06f70a545d7f10630af2a0f6dd4c8814ad5ddf0085d08
SHA512	9817be3d929c55a4a6b5531151958450cab5bcdbe2b11d901100f3087a53e564f69f43348b92979ae907e875eeb6b7c3bd0cab2a0976d9d8fb08f7d4885bfc96

C:\Windows\Temp\QLOG\ThreadId(86).LOG

MD5	048fc68ad87d97c99e4f3f93e13b9ed9
SHA1	f834fb48fc702ed6a4796635a6e2d50f064bdbc3
SHA256	a51c2cf703d3cbd65fab95b21a06412596afb0acf8a73815369ae9bd1906aba2
SHA512	8516ca513376389d514c47092af0cbfb96b0eeeaeb075a6d3ad86932ac248f35304cd5bdaebb477fe25f155293582054328e4e56716de5fabedf88dc2d98bed1

C:\Windows\Temp\QLOG\ThreadId(83).LOG

MD5	25de787c938ae55be4be105f18a5d01f
SHA1	ce1005424edb6dea06ea8cb37b5e36106c9c6460
SHA256	df479d0d2140112c56ab6fd88a0670d1f2c021d1ab722abc495d5f94b89e8a79
SHA512	998ee77063a55896af7cc01859483cb804e0cadc7d1d937a6ced884304d308ebdb346d8325e32eb9b61c43f4e022e888cb1b4f8114cac1cb9802295a54ed44dc

C:\Windows\Temp\QLOG\ThreadId(84).LOG

MD5	62fa9681a9b320d8fe555aead2262eb7
SHA1	e5c158b482b2782f76e90fd1bf421683771cead4
SHA256	36f12e1c87c7ee71a60ab654e4eb95b3ca370ffc7e7e8c432a5c40866fd9f6c9
SHA512	76f8729b485971658de510cc5689e66b222e9262ec4a565868e5d8bdaa94d68da81a99ca90b0ace1dc6765fc11aca236b51da268bb6ee39142aa1e6b04ebec92

C:\Windows\Temp\QLOG\ThreadId(84).LOG

MD5	5afd86eb0b2b493135af5dbcf57d1c58
SHA1	e44cfe211c76491d57ebce7b88c5ab2bfe02eb94
SHA256	9c9396cc48b8931b6d663037939d2370babf47faef4572753068af37ec286500
SHA512	233875d57426a8512c06c7ea6ab73d7df833937046ea9aefc4236d5603bc6d38a1bce96b83e8eed5e1092e2d348d77ad806327b646aa79792dbbd6dc5b45b736

C:\Windows\Temp\QLOG\ThreadId(85).LOG

MD5	62f434cdfae7d982e781cb3ebf701705
SHA1	90f248ebdaa8cefb05c9158378c6768ad616c065
SHA256	57d2cc2939cecadf54465787aba1aac57c58c9b1427101902ee97932b7a9fff5
SHA512	f75b9bfa604abc9ab06e13ebc979c30957bf00ef69f3fa04355458bb08f0c74088bfb238fc676f28e8a18e785eddd9bbd48317c6ea3c971c0a276d88034e4fc0

C:\Windows\Temp\QLOG\ThreadId(92).LOG

MD5	15a21a7d22cce55fd6c1d5468a914eca
SHA1	3f70ac0be5962e1fc062c62d6a6613ef16b03164
SHA256	11beb454c0f2bf6357ffe5db26844ad8510ab1f579c301695016f8af7b666b1e
SHA512	7b46b13e27a6f1ed7de121d3a85cf41c7c40047d31019bd004fb5cdbe781ced03d025de5a9465ec7538d4e1a3a73a23303fd2b29cb19d3c3a5e6381385590527

C:\Windows\Temp\QLOG\ThreadId(93).LOG

MD5	454c1e19727ea91d3ad3b02fcb3802b4
SHA1	b90dafdf39808ca82d17c029d60acdf1415b901f
SHA256	681bda8674fd444581b3730a0758a815951e13b71fa7bb0e98619be72b276166
SHA512	23b997bde2bba82aaa02eeba36fa1647704f927bc6254ee82a9f672a1b43c7823ac8b71ce2de57813d290587bb4eb605c6ba45395e457130e46d154eccee8ae8

C:\Windows\Temp\QLOG\ThreadId(97).LOG

MD5	586a47eed1611f22d8915eac860039f6
SHA1	cd63c9514286dbca77f3ceafb7cb666d9cc17683
SHA256	f4fa58742a4fda1a4158d86e056e758c9e7fa02134bd707faf38c533548e6d45
SHA512	5be8641d759101da545a73977605416b6d48313059ed3bf451c529d91f71df6ef4c1add0b0891333efbe336ec5cb9ee92e34cd9551049c3296ad017d6e9aff11

C:\Windows\Temp\QLOG\ThreadId(98).LOG

MD5	7a218dce14ebdcc88e6c7b828d31a9e9
SHA1	df2c3560c6c91f8a80d1f889beb1076f27f42999
SHA256	7636e981dff3b891443a56da82558463f366df3a09eb642dd72dc437fb33f2b4
SHA512	1f1bbc6d8eab7def3be6fac2486307418ec1316023e319ae842288cebf4d12f0443b36e2cb12f9476a90bfd41fcb22e42d1f0a83a5cea0174e50050966ed424a

C:\Windows\Temp\QLOG\ThreadId(99).LOG

MD5	cc99894cba7cead0bdf162d4ab6d8cf4
SHA1	8a75b5c581b277c71db0f77b02bc4f204429cefd
SHA256	e551301980dfb5646fa0c7ea8c1084a6c1ceea2dc5c2db66103c26dd097d745a
SHA512	d9930e869dfeaef80dd33699b72c66dfce47350b07aeaa45a33db0ac01f0f87a204b8072d1aa1601994073ce850c5e50a96a1d74149692d3fc7cfb48b5fe1eac

C:\Windows\Temp\QLOG\ThreadId(93).LOG

MD5	454c1e19727ea91d3ad3b02fcb3802b4
SHA1	b90dafdf39808ca82d17c029d60acdf1415b901f
SHA256	681bda8674fd444581b3730a0758a815951e13b71fa7bb0e98619be72b276166
SHA512	23b997bde2bba82aaa02eeba36fa1647704f927bc6254ee82a9f672a1b43c7823ac8b71ce2de57813d290587bb4eb605c6ba45395e457130e46d154eccee8ae8

C:\Windows\Temp\QLOG\ThreadId(98).LOG

MD5	14a44735d82d626f3d24d226cc8d433a
SHA1	bd7b913e41303817befd2d175e2cddf992631c43
SHA256	064f64a15857faf93a3bc0611a34ec35cee0a2f056f24cd7761c42baf293f22d
SHA512	8abdad58bde600d1c13f53c989381176a236bdf8096e205a3390d0eb2a0374914e732952e8a1ebb0009483090fcb6f0ee7c7120131b935f799f4cc636e4d3c48

C:\Windows\Temp\QLOG\ThreadId(94).LOG

MD5	cfbba1902a314b717a68e881746c339b
SHA1	32c929d39414c28e1bbab7f8cff8f6f18a45ba26
SHA256	64da0c557d18829873c1582bd5dfef0b9dde0ce23c2329a1a4e1ce372d549527
SHA512	a4fe67657f0b5e4c3d7ea965a888be9c632831ae76066ecdac3caba45f47518ba3fd629bc1747b934481d6e87ef85aa90fda48635d9cb6297b94c94c1f524613

C:\Windows\Temp\QLOG\ThreadId(100).LOG

MD5	b56c5e7908799e2871a35476e26832d8
SHA1	52bfc1b67c2dca57d6af3fc4264fa62703bc04e6
SHA256	8ffa63a77a40851d9daddabe846db74b40edee6575c9b971a39a1936aed422bf
SHA512	bfcde622205decef8efc85f7bad75ba896a618731bb4face45fb63e884e3b04053dde7520e76b937b455a8413777626f10adb5acdfae0ba9d4cd7b5f0584c7b9

C:\Windows\Temp\QLOG\ThreadId(99).LOG

MD5	c9ad2db3196febf38fff89ac8d207d91
SHA1	a0a3cd88d699637bbf243968cdf3ba9b9abefb77
SHA256	8c8e35878a0a60390458751bec22a72153d275e614ae5a9f8bb506fb7ebb101c
SHA512	1d857d1a68625c4471bb19d75efef8e024e24b587d6bfbb534685acfd1cc2acad29abb70cbf95c261bef370c36d3b4f831979a055d9cf33749693b394549e5ab

C:\Windows\Temp\QLOG\ThreadId(94).LOG

MD5	8b18256f5909e3e6aac10bbbf31c0719
SHA1	1b00040dc2d4d9f434606a491a18e9702835ecad
SHA256	531a5a209867da1fb447814ca83552bc4b9d0bc2befd960bb1dae1cf292733f1
SHA512	dfee67c51723309d360b587f1d5d1c426eecc8612a30dcf28e75981889878c4573dce597ec65411daa91132360146767e7e775429a97e3c547bd8b5c6fc15ccb

C:\Windows\Temp\QLOG\ThreadId(95).LOG

MD5	e5d8ff19ca7144012772c8f798204fde
SHA1	5a9dd7d94f8f41dc594108d245c05d9c50646df9
SHA256	af203ca67f80efc1075c8c34ba04c3415bcad5b293965790b6d06a4eb5e140b7
SHA512	e7527606fdd34e5e7b270af461531a5858f40ba7251891c3accae27ac737cac1a7d3b13c87f678a3eca791a3fb81ef107120e2b667e6609bfc95149dea308312

C:\Windows\Temp\QLOG\ThreadId(93).LOG

MD5	e9b5564f5e6ac655fe2308940d29321d
SHA1	305a0a9fbe01bb707997cf305e37c211978816bf
SHA256	e243bbc177112be5bb7409fcc7cb7b4a4ae600ab918a6cac63efbbdcb9e8c303
SHA512	5627185e3bf7ccac40a54004edd802eec7fe770a99f2e9b0ae711499c27a80a928f7fa857978ded06062771bab74e7fd04f9f4f5339d09a3d501f6492fabe903

C:\Windows\Temp\QLOG\ThreadId(98).LOG

MD5	14a44735d82d626f3d24d226cc8d433a
SHA1	bd7b913e41303817befd2d175e2cddf992631c43
SHA256	064f64a15857faf93a3bc0611a34ec35cee0a2f056f24cd7761c42baf293f22d
SHA512	8abdad58bde600d1c13f53c989381176a236bdf8096e205a3390d0eb2a0374914e732952e8a1ebb0009483090fcb6f0ee7c7120131b935f799f4cc636e4d3c48

C:\Windows\Temp\QLOG\ThreadId(100).LOG

MD5	b56c5e7908799e2871a35476e26832d8
SHA1	52bfc1b67c2dca57d6af3fc4264fa62703bc04e6
SHA256	8ffa63a77a40851d9daddabe846db74b40edee6575c9b971a39a1936aed422bf
SHA512	bfcde622205decef8efc85f7bad75ba896a618731bb4face45fb63e884e3b04053dde7520e76b937b455a8413777626f10adb5acdfae0ba9d4cd7b5f0584c7b9

C:\Windows\Temp\QLOG\ThreadId(95).LOG

MD5	e5d8ff19ca7144012772c8f798204fde
SHA1	5a9dd7d94f8f41dc594108d245c05d9c50646df9
SHA256	af203ca67f80efc1075c8c34ba04c3415bcad5b293965790b6d06a4eb5e140b7
SHA512	e7527606fdd34e5e7b270af461531a5858f40ba7251891c3accae27ac737cac1a7d3b13c87f678a3eca791a3fb81ef107120e2b667e6609bfc95149dea308312

C:\Windows\Temp\QLOG\ThreadId(97).LOG

MD5	9a5745c7c5cd12a828a8df37ac658f61
SHA1	63945ec67369cf1554a52e36fc8a84dcff3be481
SHA256	0a8b396b2e09c945dc6682a130e842c03afc1ea8c06f15f77c5d1692eb2cc134
SHA512	9486b373e2d4efb3a3e2551649ffda6e71643c44a00b09db98cc8f0f1580a787565a39e4a1a0950f79a471391636f31c7024db71b05ff37f197a5f72803972c3

C:\Windows\Temp\QLOG\ThreadId(97).LOG

MD5	9a5745c7c5cd12a828a8df37ac658f61
SHA1	63945ec67369cf1554a52e36fc8a84dcff3be481
SHA256	0a8b396b2e09c945dc6682a130e842c03afc1ea8c06f15f77c5d1692eb2cc134
SHA512	9486b373e2d4efb3a3e2551649ffda6e71643c44a00b09db98cc8f0f1580a787565a39e4a1a0950f79a471391636f31c7024db71b05ff37f197a5f72803972c3

C:\Windows\Temp\QLOG\ThreadId(97).LOG

MD5	f20034b75c5eff73305c94c65df8a035
SHA1	26152907f8098cfc17436b35c1cabc149227fdd3
SHA256	65b0ff685340c3ac59424c0c9eded87269c93af10f8b779d2d3b60894276b8ab
SHA512	8fba905d8cced15809f36d7b78ab4dc009b73b151fbce3129c480778bd4241a73ce0f749660347984498cd1423d19dbdb41ccf3222ab1f5efae0613649660b8e

C:\Windows\Temp\QLOG\ThreadId(96).LOG

MD5	1678cab0b387da4fed48b11ef227a694
SHA1	5588b512b91663aac4808074cf8770a49b855d12
SHA256	5c1a8211d59992ccf843d179c3ea623562d66a419dd246cba44445f1585f18b2
SHA512	bc4628bea0dffb1f104429371506baf497cf3644d7151647eed9d567b4a62c22aed88ff73a907db0ecde9c8a8a3643fa4d0811fe1a2597b145774e07c45b3fff

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5	61f5affd01798c3a8efe5268113b14af
SHA1	8fad0a26118affa295c5409935fc93b424e5eff3
SHA256	e6af07e8ad0c62bc8dd63401521ded1326d93aae84313a4c2dfa2b6c23fc0a7a
SHA512	7764a50d4ffc3031925510c7481229ca88aff2b5a10d5016cfd03416c5636b938c3a6af20bc254ad8074bc0db13fdd13bf0a72e810884aef36b99f80c7cdaeac

memory/4596-21463-0x00007FF9FA600000-0x00007FF9FAFEC000-memory.dmp

memory/4596-21470-0x0000020FF9A10000-0x0000020FF9A20000-memory.dmp

memory/4596-21469-0x0000020FF9A10000-0x0000020FF9A20000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	5d0f00ec83363fd894d582d68e58cf6f
SHA1	91acbb43139bdec06ca71565697d3ef00e9b0882
SHA256	061218ceb2b08e30862ac85ad33825d68e7906460f3f420c94d8c86d3eca8b8e
SHA512	1a676c7d44d6ff558dd6b09732a1f517d636e2d49db4fa79f47c087344a2115cfe819ad29d464ee0ebd8ac6001145fd18269ffc3d4616a0916bb7058002aa3a6

memory/4596-21547-0x0000020FF9A10000-0x0000020FF9A20000-memory.dmp

memory/4596-21557-0x00007FF9FA600000-0x00007FF9FAFEC000-memory.dmp

memory/2568-21577-0x0000000073380000-0x0000000073A6E000-memory.dmp

memory/4152-21583-0x00007FF9FA600000-0x00007FF9FAFEC000-memory.dmp

memory/2568-21588-0x00000000049A0000-0x00000000049B0000-memory.dmp

memory/4152-21590-0x00000257B04B0000-0x00000257B04C0000-memory.dmp

memory/4152-21592-0x00000257B04B0000-0x00000257B04C0000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	e5bd85dfe54fe8c2db22f2dbe688e303
SHA1	584ab9234e5664daa7467aa9426973d2b9e25370
SHA256	ca2177fa1008ecc7f58cfe18347b002941f11a412d24a9e36422bf6e0eb84980
SHA512	7835c8b51f8c7a25fc17bb99d285bd64da6671f70a699b757ada3be60aef0f3331f2cb6287df2a4d8f0df90adeea2f223365e6646302bd79e211605c1acca7d7

memory/2568-21653-0x00000000049A0000-0x00000000049B0000-memory.dmp

memory/4152-21654-0x00007FF9FA600000-0x00007FF9FAFEC000-memory.dmp

memory/4152-21656-0x00000257B04B0000-0x00000257B04C0000-memory.dmp

memory/2568-21667-0x00000000049A0000-0x00000000049B0000-memory.dmp

memory/2568-21670-0x00000000049A0000-0x00000000049B0000-memory.dmp

memory/5184-21674-0x00007FF9FA600000-0x00007FF9FAFEC000-memory.dmp

memory/5184-21678-0x0000015127AC0000-0x0000015127AD0000-memory.dmp

memory/5184-21680-0x0000015127AC0000-0x0000015127AD0000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	965f2202ce3f244b04b89ac3798e7e84
SHA1	1de25b6d545c95d02df60a564eda8dca653d1e2d
SHA256	862d1b245e7c8f7a9d4a12975939e5c17b4d745ffab1d97b205f1f88729e2737
SHA512	9354d62638b0d8a85987225fec0d3fa73a06f27d039548f7bc824d9a6a15de53ba2999949da02035eb1546ca6f04073563f927f5a45d115fd3bebbf560a908d1

memory/5184-21744-0x0000015127AC0000-0x0000015127AD0000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	58004bf368dc129a53fe89f09e049346
SHA1	7a50704a4d99cfa2d4799297579bd240dce24cec
SHA256	1fd2a1be30f07125233c78ebd82a6b9bfddb10039d999c0c3f7a08080cd671d8
SHA512	f89bd6a661814456cbf049bad1de97931acbd7af7604e82272bc2ba97ed8eb641f3a567d87d1f5ada8d72890d96257762c487fdab7417a7b7d9c5cdeb4c959b9

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	2029add2a57e88fcc72840bac50db645
SHA1	14913fb4c9fad67b585dc7fda4d545f98a3a2106
SHA256	57cbe3360cfb4eee09ff2ca0e6edbeb70e7c2225627583c801786161572a02ea
SHA512	80404691cae00a567d201873b9effae23490c0fa1dd318a4e378e59f04d25e810ad0921106e97e7d8d3b513490918065bf70cc2901c771833e451aea8b1cb3e8

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	939159b5195d4b8a66b0fd2be7b0880c
SHA1	c7df9432647d49675c8e4d1c68488d9390f6aa50
SHA256	a3712ce74d37fdbc0ee1bbf588a4e6bbcc9cdd0a01a75f76b7607edd43b9618c
SHA512	42ef5aea0f6aa8f94e41541dcd8cc4d81968de3fc1f84ce5ce14bcb784fcf7685444a5cf6f1df2fd44b321ac2ad887a67be51d2690577e17ad3ae672c657ef07

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	4788f738b51f0d6d400db3308cfbc23f
SHA1	994f9210821e59565fdca8241b69fc352d940ead
SHA256	1c7fafd14c7711618b41145f61585e592ee74ddd605fef77ac004af6e639baaf
SHA512	828178ce83d4240955307a39de41a8d98cd95cba9fcbf0f96f19984a6604040249b783236706239d17477a5f1e54856401fde697b79899f442f6cf7dedbd7adb

memory/7916-24164-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

memory/4452-28007-0x0000019D3B390000-0x0000019D3B3B0000-memory.dmp

memory/4452-28043-0x0000019D3B590000-0x0000019D3B5B0000-memory.dmp

Malware Analysis Report

2024-09-11 01:40

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Sample ID	231121-f5ca1sdd3v
Target	forigpatch.exe
SHA256	27f7a332ba10bae9dbc527ea25c787cb1850f0b34295cd49118f040f08f4fe56
Tags	agenda ransomware