Malware Analysis Report

2024-09-11 05:43

Sample ID 240607-pmt8jsfh7y
Target CW.eXe
SHA256 60ca507ef4ba7dbbb7ef6ea4b975b9b09a24d7d0c91d38d0876331203f962d98
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

60ca507ef4ba7dbbb7ef6ea4b975b9b09a24d7d0c91d38d0876331203f962d98

Threat Level: Likely malicious

The file CW.eXe was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-07 12:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 12:27

Reported

2024-06-07 12:28

Platform

win7-20240221-en

Max time kernel

67s

Max time network

74s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CW.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\CW.exe C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
PID 1740 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\CW.exe C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
PID 1740 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\CW.exe C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
PID 1740 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\CW.exe C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
PID 1740 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\CW.exe C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
PID 1740 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\CW.exe C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
PID 1740 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\CW.exe C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
PID 2404 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CW.exe

"C:\Users\Admin\AppData\Local\Temp\CW.exe"

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

"C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\CW.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C hosts.exe /i

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C COPY /Y a32_original a64_original

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C COPY /Y a32_original b64_original

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C COPY /Y a32_patched a64_patched

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C COPY /Y a32_patched b64_patched

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\System32\slmgr.vbs t1.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\System32\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\slmgr.vbs t2a.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\Sysnative\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\slmgr.vbs t2b.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\SysWOW64\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y a64_patched "C:\Windows\Sysnative\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\slmgr.vbs

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\slmgr.vbs" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\slmgr.vbs" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y b64_patched "C:\Windows\SysWOW64\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\slmgr.vbs

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\slmgr.vbs" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\slmgr.vbs" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\System32\slmgr.vbs"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\slmgr.vbs" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\slmgr.vbs" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\Sysnative\slmgr.vbs"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\Sysnative\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\slmgr.vbs" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\slmgr.vbs" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\SysWOW64\slmgr.vbs"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\slmgr.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\slmgr.vbs" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\slmgr.vbs" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C COPY /Y a64_patched b64_patched

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\System32\sppcomapi.dll t1.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\System32\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\sppcomapi.dll t2a.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\Sysnative\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\sppcomapi.dll t2b.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\SysWOW64\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y a64_patched "C:\Windows\Sysnative\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\sppcomapi.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\sppcomapi.dll" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\sppcomapi.dll" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y b64_patched "C:\Windows\SysWOW64\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\sppcomapi.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\sppcomapi.dll" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\sppcomapi.dll" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\System32\sppcomapi.dll"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\sppcomapi.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\sppcomapi.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\Sysnative\sppcomapi.dll"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\Sysnative\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\sppcomapi.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\sppcomapi.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\SysWOW64\sppcomapi.dll"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "56097518110792187-1581356242-121060830-2127029997-271069979-1511651881998304744"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\sppcomapi.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\sppcomapi.dll" /deny "SYSTEM":F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-155791121717569916421561604748-113430500814166758271423756786-15567319421874486880"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\sppcomapi.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\System32\systemcpl.dll t1.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\System32\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\systemcpl.dll t2a.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\Sysnative\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\systemcpl.dll t2b.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\SysWOW64\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y a64_patched "C:\Windows\Sysnative\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\systemcpl.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\systemcpl.dll" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\systemcpl.dll" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y b64_patched "C:\Windows\SysWOW64\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\systemcpl.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\systemcpl.dll" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\systemcpl.dll" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\System32\systemcpl.dll"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\systemcpl.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\systemcpl.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\Sysnative\systemcpl.dll"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\Sysnative\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\systemcpl.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\systemcpl.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\SysWOW64\systemcpl.dll"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\systemcpl.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\systemcpl.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\systemcpl.dll" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\System32\user32.dll t1.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\System32\user32.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\user32.dll t2a.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\Sysnative\user32.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\user32.dll t2b.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\SysWOW64\user32.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y a64_patched "C:\Windows\Sysnative\user32.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\user32.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\user32.dll" /grant "Admin":RX

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2444715301267366741-1488338057-4890633421476550816-303044981588883419-258094065"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\user32.dll" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y b64_patched "C:\Windows\SysWOW64\user32.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\user32.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\user32.dll" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\user32.dll" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C COPY /Y a64_patched b64_patched

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\System32\winver.exe t1.txt

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1665614092-1817746531-1764862642-194752862-1373404540-18155806281770648153165516802"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\System32\winver.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\winver.exe t2a.txt

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12858922341910224229-1268684157-8180715861862570739146877292117224230481828093250"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\Sysnative\winver.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\winver.exe t2b.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\SysWOW64\winver.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-396396115-162287995-1145153847-6623757551624041157-2050642316693791991704813228"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y a64_patched "C:\Windows\Sysnative\winver.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\winver.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\winver.exe" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\winver.exe" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C move /y b64_patched "C:\Windows\SysWOW64\winver.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\winver.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\winver.exe" /grant "Admin":RX

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\winver.exe" /grant "Admin":RX

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\System32\winver.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-17571223711734726390-1883186532348284788-15724134611189563824125800811626322255"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\winver.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\winver.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\winver.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\Sysnative\winver.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\Sysnative\winver.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\winver.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\winver.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\SysWOW64\winver.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\winver.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\winver.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\winver.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\System32\sfc.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\sfc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\sfc.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\sfc.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\Sysnative\sfc.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\Sysnative\sfc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\sfc.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Sysnative\sfc.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\SysWOW64\sfc.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\sfc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\sfc.exe" /deny "SYSTEM":F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\sfc.exe" /deny "SYSTEM":F

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6aa9758,0x7fef6aa9768,0x7fef6aa9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6aa9758,0x7fef6aa9768,0x7fef6aa9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1224,i,12695260287799414294,13908397357605959554,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1232,i,13758739506942471224,7402932166815246657,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1224,i,12695260287799414294,13908397357605959554,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1456 --field-trial-handle=1232,i,13758739506942471224,7402932166815246657,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1224,i,12695260287799414294,13908397357605959554,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2252 --field-trial-handle=1224,i,12695260287799414294,13908397357605959554,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2264 --field-trial-handle=1224,i,12695260287799414294,13908397357605959554,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1152 --field-trial-handle=1224,i,12695260287799414294,13908397357605959554,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2984 --field-trial-handle=1224,i,12695260287799414294,13908397357605959554,131072 /prefetch:1

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\mainicon.ico

MD5 31aca1a1047efbc8d2a6e22101b2227b
SHA1 7f0500f0dd7b33f13efcef891700d17306762e02
SHA256 a9eaafa2c8e36bb80f58d5930694676d76dab647b8f709f3142649bb8018fbfa
SHA512 190dd9471fdc93e9eeb8dede79f3b9f1a67c3ff62e5733f51ddf03130790ae0e409da92d46c8e616c35bcd5dbc9d2139c95452843f8a8a4ba8b4d70d1e43427a

\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

MD5 6ed1ff22271e42f1b1b794fcf013c792
SHA1 bedfc9238562d8f060aa8ba2dd611fb0bd69028c
SHA256 3d64730cc54b77e11ab31a232434b09ca14fc393f3194eb8c622e62aa41d21f9
SHA512 0ddc4a0e772e45e5e87f2c1dacd559bb20a2a991f24af8415f714cb04fd9307ae9eb43bbc1acf551d3bc066f9c15d0a660568eaab391ad8378b30afe9a62b3e3

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

MD5 1c42c49a03f8416736f243907b1c8c0a
SHA1 64a6bc73c97b85c35813d7c3386753e0c8fd7e63
SHA256 6f9a4a22186afb4efd48689fe9dad4a1cf1cfd6f2706d3411c8f5d83607e0ba9
SHA512 6385706f690fa75267af441fc614a3971e4a7e5dab08de76e6a2773f5a4284bfb13e9c08595fc9b3dc39672f74ec1af26c79581df0cf9eb45b8ddb2785f22026

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\IRDissolveTransition.tns

MD5 6a9b0ab9341ac4204aafc7fac9872962
SHA1 dc6ceafcb39b7329552d0883f2c3284dddbb0ddc
SHA256 6315b5d1869c3b4cbcbead77ad63da3a60d86ede287eccef338f74178ec181f2
SHA512 76bacf1de5ac883bb47ae8d3299d5f399ae84bcd19eadc3fd8ee01ae2605bbbbddd6aacf7fdec490b8e6baf362ae05dbf972a5710c2bc732e8542a1c5d04bca6

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\chew.enc

MD5 12a32fa128964e6a70b7ead729bfd933
SHA1 af5ae624d8f1aba5b1c651d6435fdaaadb475d3f
SHA256 a7bec382f29d784338e0130bf180a2387454be59ce8bf198f43fe9655cc473d7
SHA512 a335e01ca8ada8b7ae15dd9405409266a01a8e597f556c8cb316c35366a0a4e3f8cadd048108f0cb713d51ccb08d0845298fc56858f9300c21f5422c1fb8ee01

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\main-screen.jpg

MD5 16ace5798f3499d9685197740cd00735
SHA1 5a5d4765b3d2046cd1d4fcc714e77d188b8e52ab
SHA256 0c88a592cb5448d2131a15f208580365cf383a2445ed60ca55987f42ecc4ce11
SHA512 f5e7f3bdba6aa633bb28991c5dc9ce0e9a010ca133165417ff81c48d6cacd87d89b93533176311a60823d8d98c13bd4134ce1bcd0f90f644092779cf47aa14e0

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\button.btn

MD5 9ecb9fcfdcb46a87ec244cfe23659e0e
SHA1 b389705b9cc52e7e12a0f7f68a4f6922ea9db107
SHA256 3ff2c5e7c1b7471d41d64bd39b2d8e2df3761408c0b235ce8ccbb3d39417466f
SHA512 12a61f1cdff7faf5fe40fd83d2cbb4ef17554be2b2ead82162d685a3b492f7149bfb82b8c65a5d20e061a287140c5350923c0adab9fc7e47a7c98f3fdead8498

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Home2.Btn

MD5 1c85362b0780dfb2f580e567ad57643a
SHA1 c1ca2efb091d5540c8d300a00420fb3060874e61
SHA256 70919d158d55ba3a9c38bbe91c79bc69452e67fe7862aa00fe77df56a7dde4e7
SHA512 57d643adeb7ae8409312a0b8ac1b4774d51543f31ee4f1ea27a57fb34521d21d3590e23d8470d03967aff137117c8ace46b8a20adc6e65c1a411f70dbfd85690

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\genuine-chew.jpg

MD5 2e2ac2c68ef9ed0e14108208dc6880bb
SHA1 15bed281564c4ae5d59c8e8d7691b63ba253448b
SHA256 510acf5a6ce7e9570a591a48951161341de4f1da13e0117ab4aa6832e5bddb97
SHA512 ee40b725211ec3001154c7484de7ce78df7a885fef6ba09585cad7281b4b08acb60459856d8c3b1684adceef643995f2cf708212183ca2ddb7f231713306590c

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Cik11.Btn

MD5 eb199b1cb2087cadf5dd4d7b06db4f62
SHA1 2033bed8c8de0805e8fdbebadfd710e42fbe1a68
SHA256 b99136b165304979e84e98930ea5fee03508b8967acf6b82844b96863d916b15
SHA512 a133b9d14143b0d67f876b19f22fcf7d72352872352d7c5dd8a9ae05551e9350c5ede194416a0802816dd4c82418679c52b3ae578bf0f63e446ea868f8a9d387

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\High1.ogg

MD5 fc2a595f574b1ead82a6dcf06492c985
SHA1 400626784368fb9825a954ab8e14238054a277d1
SHA256 ee9a4903a8df90eff4c5b65a8073e564a3581cf73772a72eb82396e69932e769
SHA512 06506e70170a85a2d697550bfb555a19e210e93b972a38a482448cf8eca335605583d04f74f5fdd2911203c58aaca2f55b946c2dfe754ecf17c6b1763b7e37db

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\Click1.ogg

MD5 93270c4fa492e4e4edee872a2b961dde
SHA1 7b3c079d55d00aa5390662f0a2059e60546ed003
SHA256 25d49cbbd65d48ad462455f1143f73ee997df8f747e7d2213daab18e321c028b
SHA512 3d12721eb229d9227efc51c8e93d5f3ff6cabc305b643b764fcd6da76c031db4c8218b76b1f6158891995f23ce323c13826f59477924361cfb0dee2b9f94fb42

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\wait-install.jpg

MD5 e9e643548d3f92376e0becea1b79d731
SHA1 a273f8456c05003220494d8cf49f631408b07cdf
SHA256 68e008a39348d54344d4c4213fea395f710b078c6a5fa5fd493c08acd8ed0c78
SHA512 c4d7f083bec2b5341f866511e4f7d258c3bd6d4f4f5404bf7e2b68ffbe5d0b33ad0d5de4db2c0fd2201ebbbd45927ad1af132431f184e9c0277982659db863a2

C:\Users\Admin\AppData\Local\Temp\tRkf2d52.UA3

MD5 5fa434ec8af8916370b765dec86852bd
SHA1 4e926f229b73d58f743101cbd7b2dd4793200eb5
SHA256 9d93b830e5fddb9ae865ad13d542e604a13b07687163841251cb083f0ffe2786
SHA512 229715259889d0caf20bfd11aa89a3c6dd1951f6b1d836445b114765db3c8381fe42930f06e5da5c08b035e11c92fd1abf3f21d92ee8cae957024ab17776ce28

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 ab6d9eff87e10aba6e3a05c06a69788d
SHA1 80634778fbe8666c80408ae2f11124884a3eeb56
SHA256 f904e7c681420cd9af688fed942c10ddeceb6bb9ec9aea0309c59211672a624e
SHA512 7477d43ae329188f47a47fd9dbcbe8e9c44cfed82d6a2e3c622d0a7f2b885eb3981f621b34a45fec146bbf912f0347311a49974720fb8690c2159e1bc4584a6e

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 1f10fe4a2a04bbfa953653dad216402b
SHA1 4bd2575d84834ceaa8aea9e3872af33a79045015
SHA256 9f56fe2732fbd5d2d619aa6a6938834de9cb5ef86c5142252ed99c793328663b
SHA512 e8a2e17d8c41b521873190eabbffe0db059bec27b09e5c0e02a7c6e44feca8a94b1cec3f344ec9335b50737ba15e698e79f9962d52764402d3b5c79a94561844

C:\Users\Admin\AppData\Local\Temp\tRkf2d52.UA3

MD5 c62541ea284394bc8871f79909d942de
SHA1 9c49d85729858642a55076ead707a176ea15bd83
SHA256 09263c0a61ff954db51c16ad92775766158b8e33bbb105f5162eca0c29e24834
SHA512 2a053a9e09ae13764f1e11cce12b539e7a0c76d3e0b242394d6ded9c5ed7c13273d2181e0fa6c10cef4459d487132e6ceb6c8f4c8421bcbfbdf26599b1e98c46

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 a2eb6b34ef2cd1f3b1b68ccb947cb25a
SHA1 04a415953be88e72dac4f0b357961f47dcc5415a
SHA256 bb665c81e1724faf0ed459b2d8e4f1a1ee9f8c0868c8c3fdd1fd47549084ef0e
SHA512 420a5c24f691a8c8f1b8f152c0ea288c8075bbfb3a7de5b1f9aabff25d6c35b63f6ef03c6de0e4273ff8b068bc86b40374e0581d900538fc34d687673a856aea

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a32_original

MD5 38482a5013d8ab40df0fb15eae022c57
SHA1 5a4a7f261307721656c11b5cc097cde1cf791073
SHA256 ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8
SHA512 29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a32_patched

MD5 ad42973557017119b0e5f176c745909b
SHA1 6f8911725ac86efa8eb4b08c5147a4ef365c12f7
SHA256 5c59f39702c8b1749453641b78b9aafcd6b38b11bc0b7b4b2e8ce7e5f6a5b4da
SHA512 fefa5a762166d416a0f2e1557e4d7097efedc30fc7a77b11d6178b00c8a5c6ea6767371e320c20722e48f077ee10c59a472e95f0519afd65d247aeb88422061c

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 2770c5d37eb5bcedf92d9d1421153d3c
SHA1 b22d7ac076ee289d6ab90d22c909779f6078320b
SHA256 6e7e38abaaaf7ac178aae90ff3e93dec6ed62beb4eb3fc48a6ca2647585a764c
SHA512 084a2285cf5edbb46aea853901330b807ca7eda1b2d679b2df31b230839b5086692353e40e180ceea03966982197c03bb7d48e76d1285879a8b518f93dd04f07

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 eb5e6dea505d156f3361543f1935e5f7
SHA1 7437ac3a419e48d3c093f9ec933745bdbe852de1
SHA256 f97a968fffe2d26441b7477dec4f8c311252a70c8d74e605d1a0043b8cc063b5
SHA512 3a7c040ed698b15e5cba6caff70a2ed6d81786b8445131d0e6bd2f1cd4dbc0889d2490431364bdc5774dff8748ef20a5ac0eaaa389f27f5a10e0f565e63a8ce2

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 7c51b4f1c30ca5a550cf2bec27673639
SHA1 f9dcb2f614a1d02b31cb772aef4444854b7d41b1
SHA256 b7a816db731b37bde5adbf88a3acd568f61c0f640599fac5c150f3882de3085e
SHA512 c58a11c5c92d70e039f3bd8902ebb639a3d558e7c681b0786d4074222eb98e34cef50a6e70f89134830545314b00a67d74e5a5ba3f3a965cc23018f85b4dde96

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 dc5cbae22d4fff9c8c03c6918390b983
SHA1 257b339e94036c7a35ff6a703f551bf672e16998
SHA256 37f4d9d5eaaf37e8b35fec1fc42c59ab79071f6b777e7da3cc06ae9d1ffbc2b1
SHA512 bb37952d179f47b19ebcb54c361a369d9e78cb2e3dbb22864fdef03f517f810e255ad6d22ba956959c0ea624cbbe7f250d099687a15a04bba75dd4e958d28bfd

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 8d86e0c6b4e2506e3effe0701428ab28
SHA1 30486e6b91bdb0133ad6fedd1d56c14eb836e02c
SHA256 df9260f43f0108a685773d89208f8fa9c8c7564953c993e8104afce55cfac2bc
SHA512 f1dba24dbeb65d7541247a70abb741523af16f6822b380440af35b05ce0be67b4586ad76d521045c1a24c78d216a2a4c2dfc13d15625ebe54c033084f6d465b7

C:\Users\Admin\AppData\Local\Temp\tRkf2d52.UA3

MD5 a1358365f7bc1b2fe75dd56f9d75ada1
SHA1 4d347882e283fed7297758ee820d403335fc7839
SHA256 d6300d721484277e73cb695965b3980348dd3a005c5aa7b0dd711649c2afbf50
SHA512 5c153b51d851cc08c376004cb253960cbe707c5a239478b9ed343e87d25af952d5bbff0b3506b27682499d87c73cfbd2af0016db98359d39ca32e6250886a83e

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\b64_original

MD5 b5d219bff6f911b6a8d77cee467d8384
SHA1 4ab378126674875646c9dcbd361d3c1d95019c79
SHA256 8aa58bc72593b3678f77d92d4f6ae9beae6a704c78f773ec6927728afaba30e0
SHA512 7e597df4c8dfb01de5945b0b250f5a8c25a85b30ef5201ea5e2f1016013c50464ac544f74cb5fec43ab5c3e20bd0ae6f4054d20418a677a80ba682614922ba95

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a64_patched

MD5 96119226320b3b2a80e87fdb9d446ba0
SHA1 6fb6e603542ada336451c0f8af79e791f65b51ee
SHA256 041f6d11a1c631b9868c52ca4b8636dc9ca443b3a786bcf13c3477bdcb8a0551
SHA512 dbf894aab1b2fd826059bf685327688f1b8059dfb523d9fc25acd69ff3ed507d4d080bdacb6bfaa85e5a4de8bcb1bd7d2326f048cb9cd716f169ad1f20d1bf3c

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\t1.txt

MD5 500cf1681dda5a94296d684421ce1329
SHA1 8d117d0dfb98c5b9a18eece31d52be17dc4faddf
SHA256 c5e2e7fa58c4734d9fe7d7a3d2519f49f915a8c9b74f66d883d6f945e8dc88e0
SHA512 4d827e96d0d6333690c9777144525a929cbf68273d3ce67b7f1d53a2eb2cc20feca9cb073d12d0575eae0631b8cd03856044cd6f987799b8780844b3246b773b

C:\Users\Admin\AppData\Local\Temp\chew-wga.log

MD5 6d3b472992d43d60fcb7d4d8a67522d9
SHA1 e7fef7336963ace9148aa743b338b04ed10a3df9
SHA256 69cd55afc5793cbb5d5b6551330864e21a43555d0de9874d7a68b5f0a7cc3cd7
SHA512 eb08104a34de66562e60abb589f036a1f2052e8d639e0bd33ffa111e195411c4699734edd156451fa3a4cf97d2c521efbe4cf82f133e3d4f2948e345498988fe

C:\Users\Admin\AppData\Local\Temp\tRkf2d52.UA3

MD5 1d9250f82ec5c5df4758eb30ee12a80a
SHA1 32faf2f750fbf1fff8d26675b41574a4912a1f6c
SHA256 085952fdefba04d9bab4c3058ad4882194bf8e5241f805992e529c46008ba400
SHA512 773971e6738fc0ee24711cbc2b92e7a5914be9727fd0302ba1eeab9ac5a63ada4aa6d05215a60c3da9d77338943f9ad19aabcf822518d7f1bdd033548d9d543c

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a32_patched

MD5 4ee1f86f0380ee6f57c5283d945861ea
SHA1 3a2fb4421b35cd7fe7e133da4160e4b1995ff55d
SHA256 8c64b02a9fd13c870085f72f70524f119e5b3192a9fe2112b0dd4a565b942416
SHA512 f43f70827ec03517e0cc177fc709876612ba0a4055a83893ff6f920d72222ad9c23e1cb962666eef844e9c919d9dc7c6dc295a6938297aae3e24e8f353ec0506

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a64_patched

MD5 6e62eaf8a35ae3801ce0554fb140a84a
SHA1 ba1f56c430a222e753cd1f5322136f8726247cf3
SHA256 b9fa2d3bf26702806fc394521e57c9d65825ee40923a663af5e8b568646d1f11
SHA512 6628fc3f5b6ec82d54b1dcd1f2dfc32744d57e9a88a6ffeb571730016eb52675db208b9d350c251df1e235e0da23893b7b2697bde03ca38e1aec3498544400d3

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\b64_patched

MD5 82e679d6a609830a09b2fb6511b543d5
SHA1 6072ac3deb1cadb02977533bb31aee96815e6a2c
SHA256 44b83f38059ad417a580050266adb572bff501ad959df42b8d9cd318c5029870
SHA512 08ed010b16a9e8e34ddf336f8129cb73aa4e474dd336777a2d5172875e71b0d8f8ab54fda4638b7e2f668c4c11db024c824a81b499fed513fd8f1a73ca261d43

C:\Users\Admin\AppData\Local\Temp\tRkf2d52.UA3

MD5 2a6cdfcac99775cf627baa0c492822b1
SHA1 31f342298c7c5d2670b1e4245aba10d9d9a03722
SHA256 2650008d81826d69558bed947b98e7e2767eefcaa136b7b3fabf9fb7897532f0
SHA512 556bd12254469941b09ee58f9e8643b1cf37d8f0c1699a7960ac93c9fedd835f6a8d51d530a90f2f3db2677aa2887c63b19b8a5f2be751c7e4a5e95452d24708

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a32_patched

MD5 8626f0c30d4e3564ffdd25c90f4426f1
SHA1 a42a6b0af9f6b6cc92ade441f13d8eb54405b75a
SHA256 48095e57661edf47e44f8315dbe6372757449493a84e0166d69051299e1873f6
SHA512 d949f703875e8403eed0dc6eea573b8ef61f43d7d06a9cc2edd4d74f2e019eaaad40c8d7040db0f0870da124a7fa4471c0258b8af704e9900eac93e5eac27a0b

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\b64_patched

MD5 2c9cc9f492ca596b1b9fc1ae5e916356
SHA1 553a6b184f2c4f77a2483daf9ea027e4e35a1516
SHA256 267377ea0e565b378ee37cf862654cc8717a8d54fccee7ae8110e95981d2c418
SHA512 fb2704402a338e9784ea6754ecb8efeb4334e834682d7af5ecc8a632d1dfd434bb2237398620d46573c28332cb0b62004e3a4cb8ff79da6c6e71c8c0cb63405a

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a64_patched

MD5 e573bd9ab55c8e333c202b9e255f972e
SHA1 460bde795885134b48465dc73797db695af33e1f
SHA256 79bec0da770265d1a525330b2e732e055edde617bcc2848c2742492f9dbc881e
SHA512 bcae097591cbc66e20771ef69e6544e5f951e0821b8d2a4779e524c542e5ad1d75ff683a15a76f5577e1e1389f4058cd36da7d0c785c504b2305cc144dc7b4bf

C:\Users\Admin\AppData\Local\Temp\tRkf2d52.UA3

MD5 12bd808641c2e93c05d209f95e8d7cd4
SHA1 2c25caff2c87866672420af1a68109fe371f65a1
SHA256 5f97e448aa07b1377fcb74f35ba821a0e9dc5655b9b29bb1a6040a89e308663d
SHA512 863ad404d10028ac19c7021ddb6896987e8d37bba72cb07204c09b41220cc1711ca49da82f01241697e0c11f021d45a48be87e8fd8079520db2d97ea006a49f5

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a64_patched

MD5 b6d47606cc11ba2c58f12fe01983f77c
SHA1 a7046870240beb9555991020981d398af7ac56e8
SHA256 e6746e6f90d311bb769394ea1247f04f669184a08ecb2a8b237aa5185414dc1b
SHA512 729962ac9d8cc2bdfc8f1d2f66e9aeddaef819d9d6b6e4aa235196045558c0ff0ffa0925e7e0a1ebf608ee886d58e1dea91fda82456da25ee1fde65547fbee11

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\install-error.jpg

MD5 68ec09592f71a542470246c5522d4636
SHA1 61d2c3b7621c0c77fd91f7e6dacecd25bd49d69e
SHA256 d15a87cb382ddf6efea8cad0ac82fd3ee72db4f775ba4d22ca7bea9cdba20960
SHA512 d7d0da635faad6a2e56eadbaa1d83fb466e450bb69b37b67a08980da63393493b8fa6b48bcb6fbb1ce4512f7af17f4e5dd58654b3e8f9af79ca649b60cc62f5d

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\c0.enc

MD5 97b53e8a8394f391b866fe0764681537
SHA1 a3e2117b6d1c4e6dae48363212768889a0a3a3e3
SHA256 ff9a5928782f0496d8d350bc047ba2f4d61c87492c303c9b805ee3686eae064e
SHA512 53315dfb3f9c27aed07564bee8e5441c276162d117fd438d96961dd02e39488930dcff9cf9d3e34fd92d36e3a18c44386a00e261a756a534a543cf62fc979af0

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\c5.enc

MD5 a39e341d6a68ea661b9eb5e7707edf37
SHA1 521d8bd813225a750324e215fb73146ffcb3f1f4
SHA256 02c7096dd821d2fdffd7263e7adf62efc4a41584ee3c35d409999a317457ad5e
SHA512 0212e53116f0e1ec18a4acd1e89cee39fb56ccfe1aed3e0366e716a43b2dfc4a3b0108672f41570eab2b17763c7b1e7ff3d8bffc7cb259d60d6f719e2a70bf70

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\c4.enc

MD5 9edf4f042ffb616d2d139b3e36000cf2
SHA1 79c988f96a635803951dbed0bdc257206380bc8f
SHA256 4ab24958c0986641bdfbbfd5df57a0f8f354e6a8f88f33b09bd6d9d9ae934df3
SHA512 2a42391ffc1bcc8622a56f7564958270986493eaa8d679e5dd96a333bd2a4b210f3bfba975cada8dc5bec4bee37c0a061d741abc47451eff81704d6870cce347

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\c2.enc

MD5 b3e970d171604bdef71809e63df44ff2
SHA1 a32858da162478b94e0cf1ff0dd4a821d859e69f
SHA256 b64bbed7e4d8a544261555a37ec2df1445ca4c38f0f49e9618f16f80d48ddf4b
SHA512 8b937a81fcbb99619f11bb13b888459c8bc68981bc01301aeeec204216592a3eea9de7619212c79e002580d41b4d2fbe1741e649940ac0b26d5e44ad600118cb

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\c3.enc

MD5 823903ea3ea1ce97ebed801e6306f08d
SHA1 e4bdee37c87fa4f89136f04de807c0ab68610b6b
SHA256 743e073e703800d853028da31eb19e69922bddffa00d4c207e31c173754d9e83
SHA512 d930d773902d2681760afec5ee979f6f38976635087a4f7d0e99e791b8880cc822cdb858510dc42f013693363336605ea962e95dcc9caae3620955a6cd2a9349

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\c1.enc

MD5 5d280b2b82ebdbb4bad1b316f4b9b7cc
SHA1 7ca1173bf828c1bd78fb151bac7de7c2d9d867ed
SHA256 6eca38bc2c7d230d3e3b79ec49be46e553d6abd287c7c9b05571658460d2b6cd
SHA512 6a2b67aec6c274010de351ebef717eb64867b4b75859025eb489e2f95be8fff732314ffece5dae0e496cbf870f5cf25931748b0e832bfea41c83220841de5460

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\b64_original

MD5 66dd0b0d1cd1ec6c5964b158374ebe7f
SHA1 3fe75a3ba8602ef073f37b167115125cd4a2b0e3
SHA256 7ab75618ece4118dfeb518f490ddcbb8db904857f9eecb50f672f001ce1e53d2
SHA512 d6f92c672278a0eff3db661bdacee42adb4a301033937202c0709f3893540e9d23123fe916a53fd418161b469b81fb4b336b0fb7fa0133dc5839b72ed25145f9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 ecd8ebd0d441c0b49b641fbcd5444d17
SHA1 75760164655f0e440880cfb868a10a01b67b6c90
SHA256 f46d8cdf1812d342e3b49ee242fdba78935d597ccdf86989d165e28696cf62b7
SHA512 99913f343bc9df93bcd6d789c4ddb2378e7f49778836e844bee55de79a98c39a9793331a22c2e6b6f171fd3289c77586a4e32b9d9bbcefd68a0029f6d11d2256

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 f732dbed9289177d15e236d0f8f2ddd3
SHA1 53f822af51b014bc3d4b575865d9c3ef0e4debde
SHA256 2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93
SHA512 b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

\??\pipe\crashpad_2472_PXFOSHBPAITKYKSD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e2d14c00-eeda-4b41-abed-ef188996cc93.tmp

MD5 ed41a0e8eccb79860b8733ee64f52cab
SHA1 c0b331ad2cb7ec69265ae3b21179ae9218751980
SHA256 c19fa9c4031b624c44b55397a814020bfbe5454e3b44dc14b89a0a7235f8d571
SHA512 a3449739203e5be2d3881ff4d011e1d141bf6301a0377fcd2e2fa51c2b6148b217c2d998f47e017b5b2c9aaf46a1d6f09a59482be64beb7ca4b69fbac77173e0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58